Documente Academic
Documente Profesional
Documente Cultură
C E R T I F I C AT I O N
CISSP Certification
Contents at a Glance
Introduction ................................................................................................................................................1
A Glossary ................................................................................................................................................667
B Overview of the Certification Process ......................................................................................687
C What’s on the CD-ROM ..............................................................................................................689
D Using the PrepLogic Practice Tests, Preview Edition Software ..........................................691
Index ........................................................................................................................................................697
00b 078972801x FM 10/21/02 3:39 PM Page iv
00b 078972801x FM 10/21/02 3:39 PM Page v
Table of Contents
CONTENTS VII
CONTENTS IX
5 Cryptography 307
Introduction ......................................................................................................................................310
Uses of Cryptography ....................................................................................................................310
Confidentiality ............................................................................................................................310
Integrity ..........................................................................................................................................311
Authentication ............................................................................................................................311
Nonrepudiation ..........................................................................................................................312
Cryptographic Concepts, Methodologies, and Practices ................................................313
Symmetric Algorithms ............................................................................................................313
Asymmetric Algorithms ..........................................................................................................315
Message Authentication ..........................................................................................................316
Hash Functions ..........................................................................................................................316
Digital Signatures ......................................................................................................................317
Key Length ..................................................................................................................................317
One-Time Ciphers ....................................................................................................................318
PKI and Key Management ..........................................................................................................318
Methods of Attack ..........................................................................................................................319
General Attacks ..........................................................................................................................320
Specific Attacks .......................................................................................................................... 322
00b 078972801x FM 10/21/02 3:39 PM Page xi
CONTENTS XI
Exercises ........................................................................................................................................329
Review Questions ......................................................................................................................329
Exam Questions ........................................................................................................................329
Answers to Review Questions ..............................................................................................330
Answers to Exam Questions ..................................................................................................331
CONTENTS XIII
CONTENTS XV
CONTENTS XVII
A Glossary 667
Index 697
00b 078972801x FM 10/21/02 3:39 PM Page xix
Preface
All CISSP candidates should tread carefully when deal- (ISC)2 Institute’s instructors, who are all CISSPs
ing with these boot camps. They should be forewarned trained by the consortium, allow CISSP candidates to
that if they’re found to be lying regarding their past understand the level of their knowledge of the CBK’s
work experience, as Roberta claims some boot camps 10 domains for later study before taking the CISSP
are encouraging, they’ll lose their certification for violat- exam. Some of the institute’s instructors have been
ing the CISSP “Code of Ethics” they’re required to sign training CISSP candidates for 5 years or more, while
prior to taking the exam and are legally committed to. many boot camps have often only been operating for a
few months. Again, it’s the only training (ISC)2
In the past year, (ISC)2 has taken several steps to mini-
recommends.
mize the ability of candidates to misrepresent their
work experience, including random audits of applica- We want to reassure Roberta and other concerned
tions and requiring a candidate to obtain an endorse- CISSPs that (ISC)2 is making every effort to ensure
ment of their professional experience by a CISSP. The that the certification remains the “gold standard” in the
endorser attests that the candidate’s assertions regarding information security industry. We fully support her call
professional experience are true to the best of their for ethical behavior among all IT professionals.
knowledge, and that the candidate is in good standing
Marc Thompson is Vice President of the (ISC)2
within the information security industry.
Institute (http://www.isc2.org/).
In addition, if a CISSP candidate attends a boot camp
Reprinted with permission from Security Watch
that utilizes materials from the actual test, as some boot
(http://lists.101com.com/NLS/pages/main.asp),
camps claim, the candidate will also be in violation of the
2002 101 Communications, LLC.
Code of Ethics and will lose their CISSP certification.
Also, candidates shouldn’t believe that a boot camp can
increase CISSP exam pass rates, as several claim. As a
matter of policy, (ISC)2 has never published its pass rates,
so there is no way for a boot camp to legitimately claim
high pass rates.
The key difference between the boot camps and (ISC)2
Institute training is fundamental: The institute’s goal is
to provide an extensive overview of the Common Body
of Knowledge (CBK), the compendium of information
security practices and standards compiled and continu-
ally updated by (ISC)2 and used as the basis for the
CISSP exam.
00b 078972801x FM 10/21/02 3:39 PM Page xxii
Roberta Bragg, CISSP, MCSE, and the original Philip holds a bachelor of science in mathematics and
Security Evangelist, is a veteran of more than 25 years an M.B.A. and studied for a Ph.D. in computing sci-
in IT. Her technical experience ranges from program- ence at Queen’s University. He is coauthor of Control
ming to systems administration and Windows network and Security of Computer Information Systems, The
security design. She is an internationally acclaimed Computer Virus Crisis, and Information Systems Security:
author and lecturer on Windows security. A Practitioner’s Reference, and he has published a num-
ber of works on various topics in computer security,
Scott Barman is currently an information security
software research, and educational planning methodol-
and systems architecture analyst for The MITRE
ogy in various professional and industry publications.
Corporation (www.mitre.org) working with the
He has served as a director and president of the
MITRE team to help the IRS modernize its IT infra-
International Information Systems Security
structure. He has been involved with information secu-
Certification Consortium (ISC)2. He is a member of
rity for almost 20 years, nurturing the evolution of sys-
the Standards Council of Canada’s Canadian Advisory
tems and their security requirements for commercial
Committee on Information Technology.
organizations and government agencies. Since the
explosion of the Internet, and prior to joining MITRE, Wesley J. Noonan is currently a senior quality assur-
he has focused on various areas of security and policy ance representative with BMC Software, Inc.
development for many organizations in the (www.bmc.com) working on its network management
Washington, D.C. area. Scott earned his undergraduate product line. Wes got his start in the United States
degree from the University of Georgia and a Master of Marine Corps working on its Banyan VINES network
Information Systems Management with a concentra- and has spent the past 10 years building, maintaining,
tion in information security management from and securing corporate networks ranging in size from
Carnegie Mellon University (www.mism.cmu.edu). 25 to 25,000 users. Wes is also an active trainer, devel-
oping and teaching his own custom, Cisco-based rout-
Philip Fites has worked for more than 34 years in
ing and switching curriculum. His certifications
informatics, from computer operations to business and
include MCSE, CCNA, CCDA, and NNCSS.
project management. His current focus includes infor-
mation systems security theory and practice. Since the Benjamin Wright, recognized the world over as one of
early 1980s, a lifelong interest in information security the leading lawyers in e-commerce, is the founding
has been transformed into a commitment to research author of The Law of Electronic Commerce, a compre-
on integrity and other issues of security in information hensive book on the legality of electronic transactions,
systems, combined with a practical focus on applying published by Aspen Law & Business. A graduate of
his expertise to help clients clarify and achieve security Georgetown University Law Center, he is an indepen-
objectives. dent attorney practicing computer security and e-com-
mercial law in Dallas, Texas.
00b 078972801x FM 10/21/02 3:39 PM Page xxiii
He has been a SANS instructor and speaker and is the Patrick “Swissman” Ramseier, CCNA, CISSP is a
author of the IDIC course Introduction to Logfile systems engineer at OKENA, makers of the
Analysis. He is an authorized SANS Unix security grad- StormSystem Intrusion Prevention System. OKENA
er and is presently serving as the chair of the SANS has been delivering breakthrough security software
GIAC Certified Intrusion Analyst Advisory Board. He products that proactively preserve the operational
is the author of the OS hardened Shadow IDS plat- integrity of applications and host systems. OKENA
form based on NSWC’s Shadow version 1.7 (available StormSystem is a system of seamlessly integrated secu-
at http://www.whitehats.ca). In his spare time, he has rity products that act in unison to prevent existing and
worked as a technical reviewer for New Riders unknown attacks without relying on attack signatures.
Publishing. Patrick started out as a Unix system administrator.
Over the past 14 years, he has been involved with cor-
Lawrence S. Paccone is a principal national/systems porate-level security design; architecture reviews; vul-
security analyst at Northrop Grumman Information nerability assessments; VPN support; physical, net-
Technology TASC. As both a technical lead and project work, and operating system security (Unix-Solaris,
manager, he has worked in the Internet and Linux, BSD, and Windows NT/2000); training;
network/systems security arena for more than 8 years. research; and post- and pre-sales. He has a B.A. in busi-
ness and is working concurrently on his master’s and
doctorate in computer science.
00b 078972801x FM 10/21/02 3:39 PM Page xxiv
Dedication
Acknowledgments
We Want to Hear
from You!
As the reader of this book, you are our most important When you write, please be sure to include this book’s
critic and commentator. We value your opinion and title and author as well as your name, email address,
want to know what we’re doing right, what we could and phone number. I will carefully review your com-
do better, what areas you’d like to see us publish in, ments and share them with the author and editors who
and any other words of wisdom you’re willing to pass worked on the book.
our way.
Email: feedback@quepublishing.com
As a publisher for Que, I welcome your comments. You
Mail: Jeff Riley
can email or write me directly to let me know what you
Que Publishing
did or didn’t like about this book--as well as what we
201 West 103rd Street
can do to make our books better.
Indianapolis, IN 46290 USA
Please note that I cannot help you with technical prob-
For more information about this book or another Que
lems related to the topic of this book. We do have a
title, visit our Web site at www.quepublishing.com. Type
User Services group, however, where I will forward spe-
the ISBN (excluding hyphens) or the title of a book in
cific technical questions related to the book.
the Search field to find the page you’re looking for.
00b 078972801x FM 10/21/02 3:39 PM Page xxvi
00b 078972801x FM 10/21/02 3:39 PM Page xxvii
00c 078972801x walkthru 10/21/02 3:43 PM Page xxviii
CHAPTER OPENER
Each chapter begins with a set of features
designed to allow you to maximize study
time for that material.
INSTRUCTIONAL
FEATURES WITHIN
THE CHAPTER
These books include a large amount and
different kinds of information. The many
different elements are designed to help you
identify information by its purpose and
importance to the exam and also to provide
you with varied ways to learn the material.
You will be able to determine how much
attention to devote to certain elements, Note: Notes appear in the margins and contain various kinds of useful infor-
depending on what your goals are. By mation, such as tips on the technology or administrative practices, historical
becoming familiar with the different pre- background on terms and technologies, or side commentary on industry issues.
sentations of information, you will know
what information will be important to you
as a test-taker and which information will
be important to you as a practitioner.
CASE STUDIES
Case Studies are presented throughout the
book to provide you with another, more
conceptual opportunity to apply the knowl-
edge you are developing. They also reflect
the “real-world” experiences of the authors
in ways that prepare you not only for the
exam but for application in your job. In
each Case Study, you will find similar ele-
ments: a description of a Scenario, the
Essence of the Case, and an extended
Analysis section.
Answers and Explanations: For each of the Review and Exam questions, you
will find thorough explanations located at the end of the section.
Introduction
The CISSP exam is the premier information security (ISC)2, the governing body of the CISSP exam,
certification. A CISSP is acknowledged by both requires four years of experience in one or more of the
employers and consultants as a recognition of maturity, 10 domains covered on the exam. A specific definition
experience, and dedication in the information security of exactly what type of experience qualifies can be
industry. CISSPs are recognized as having a breadth of found on the Web site (“Guidelines for Professional
security knowledge unparalleled by other certification Experience Requirements,” http://www.isc2.org/
holders. Ten diverse domains of knowledge are covered cgi-bin/content.cgi?page=167).
on this exam. In addition to passing an exam, the certi-
fication requires candidates to have four years of securi-
ty experience. You should consult the (ISC)2 Web site
at www.isc2.org for a complete explanation of what
HOW THIS BOOK HELPS YOU
acceptable security experience is.
This book takes you on a self-guided tour of all the
This book is your one-stop shop. Although everything areas covered by the CISSP exam and teaches you the
you need to know to pass the exam is in here, you still specific knowledge you need to achieve your certifica-
must meet the experience and ethical requirements set tion. The book also contains helpful hints, tips, real-
by the exam board. You do not have to take a class in world examples, and exercises, as well as references to
addition to buying this book to pass the exam. However, additional study materials. Specifically, this book is set
depending on your personal study habits or learning up to help you in the following ways:
style, you might benefit from buying this book and tak-
á Organization—This book is organized by the
ing a class. You can locate a class by visiting the (ISC)2
(ICS)2 Common Body of Knowledge (CBK)
Web site (http://www.isc2.org/cgi/
domains. No official list of exam objectives exists,
content.cgi?category=15).
but the domain definitions provided by the
Training guides are meticulously crafted to give you the (ISC)2 organization have been organized by the
best possible learning experience for the particular authors into helpful objectives. We have also
characteristics of the technologies and management attempted to make the information accessible in
skills covered and the actual certification exam. The the following ways:
training guides provide you with the factual knowledge
• The full list of domain and compiled
base you need for the exam but then take it to the next
objectives is included in this introduction.
level, with case studies, exercises, and exam questions
that require you to engage in the analytic thinking that • Each chapter begins with a list of the
is needed to pass the CISSP exam. objectives to be covered.
01 078972801x Intro 10/21/02 3:38 PM Page 2
• Each chapter also begins with an outline that • In the Field sidebars—These relatively
provides you with an overview of the material extensive discussions cover material that
and the page numbers where particular topics might not be directly relevant to the exam
can be found. but that is useful as reference material or in
everyday practice. In the Field sidebars also
• The objectives are repeated where the materi-
provide useful background or contextual
al most directly relevant to it is covered.
information that is necessary for understand-
á Instructional features—This book has been ing the larger topic under consideration.
designed to provide you with multiple ways to • Case studies—Each chapter concludes with a
learn and reinforce the exam material. Following case study. The cases are meant to help you
are some of the helpful methods: understand the practical applications of the
• Objective explanations—As mentioned pre- information covered in the chapter.
viously, each chapter begins with a list of the • Step By Steps—These are hands-on, tutorial
objectives covered in the chapter. In addition, instructions that walk you through a particu-
immediately following each objective is an lar function relevant to the exam objectives.
explanation of the objective, in a context that
• Exercises—Found at the end of the chapters
defines it meaningfully.
in the “Apply Your Knowledge” section, exer-
• Study strategies—The beginning of each cises are performance-based opportunities for
chapter also includes strategies for approach- you to learn and assess your knowledge.
ing the studying and retention of the material
á Extensive practice test options—The book pro-
in the chapter, particularly as it is addressed
vides numerous opportunities for you to assess
on the exam but also in ways that will benefit
your knowledge and practice for the exam. The
you on the job.
practice options include the following:
• Review breaks and summaries—Crucial
• Review questions—These open-ended ques-
information is summarized at various points
tions appear in the “Apply Your Knowledge”
in the book in lists or tables. Each chapter
section at the end of each chapter. They allow
ends with a summary, as well.
you to quickly assess your comprehension of
• Key terms—A list of key terms appears at the what you just read in the chapter. Answers to
end of each chapter. the questions are provided later in a separate
• Notes—Notes contain various types of useful section titled “Answers to Review Questions.”
or practical information such as tips on tech- • Exam questions—These questions appear in
nology or administrative practices, historical the “Apply Your Knowledge” section. You can
background on terms and technologies, or use them to help determine what you know
side commentary on industry issues. and what you need to review or study further.
Answers and explanations for these questions
are provided in a separate section titled
“Answers to Exam Questions.”
01 078972801x Intro 10/21/02 3:38 PM Page 3
INTRODUCTION 3
á Final Review—This part of the book provides For more information about the exam or the certifica-
three valuable tools for preparing for the exam: tion process, refer to the (ISC)2 Web site at
www.isc2.org.
• Fast Facts—This condensed version of the
information contained in the book is
extremely useful for last-minute review.
• Study and Exam Day Tips—You should
WHAT THE CISSP EXAM
read this section early on, to help develop COVERS
study strategies. This section also provides
valuable exam-day tips and information on The CISSP exam covers a broad range of information
exam/question format. security subjects. They are organized into 10 domains.
• Practice Exam—A practice test is included. The domains are
Questions on this practice exam are written á 1. Access Control Systems and Methodology
in styles similar to those used on the actual
exam. You should use the practice exam to á 2. Telecommunications and Network Security
assess your readiness for the real thing. Use á 3. Security Management Practices
the extensive answer explanations to improve
á 4. Application and Systems Development
your retention and understanding of the
Security
material.
á 5. Cryptography
• PrepLogic—The Preview Edition of the
PrepLogic software, which is included on the á 6. Security Architecture and Models
CD-ROM, provides further practice questions.
á 7. Operations Security
á 8. Business Continuity Planning (BCP) and
Disaster Recovery Planning (DRP)
NOTE
Telecommunications • Firewalls
• Physical layer
• Data Link layer
01 078972801x Intro 10/21/02 3:38 PM Page 5
INTRODUCTION 5
Know how to set policies and how to derive Use coding practices that reduce system
standards, guidelines, and implement proce- vulnerability.
dures to meet policy goals.
Set information security roles and responsibili-
ties throughout your organization. Domain 5: Cryptography
Understand how the various protection mecha- Discuss the uses of cryptography including
nisms are used in information security confidentiality, integrity, authentication and
management. nonrepudiation.
Understand the considerations and criteria for Compare and contrast symmetric and
classifying data. asymmetric algorithms.
Determine how employment policies and prac- Describe PKI and key management.
tices are used to enhance information security
Detail common methods of attacking encryp-
in your organization.
tion including general and specific attacks.
Use change control to maintain security.
Know what is required for security awareness
training. Domain 6: Security and
Architecture Models
Domain 4: Applications and Explain the difference between public versus
government requirements for security
Systems Development architecture and models.
Explore software/data issues and describe Discuss examples of security models including
software and data handling applications. the following:
Demonstrate an understanding of the
• Bell-LaPadula
following:
• Biba
• Challenges of a distributed/nondistributed
environment • Clark-Wilson
• Databases and data warehousing issues • Access control lists
• Storage and storage systems Explain the basics of security architecture.
• Knowledge-based systems Describe and contrast information system
security standards including:
• Web services and other examples of edge
computing • Trusted Computer System Evaluation
Discuss the types of attacks made on soft- Criteria (TCSEC)
ware vulnerabilities. • Information Technology Security Evaluation
Describe and define malicious code. Criteria (ITSEC)
INTRODUCTION 7
• Explain the necessary components of recon- • Know the general criteria that apply to the
struction procedures, including reconstruc- location and construction of facilities.
tion from backup, movement of files from
• Understand basic methods of controlling
offsite storage, and loading of software,
physical access to an area.
software updates, and data.
• Know the basic issues relating to regulating
Explain the need for, and development of, a
the power supply for computers and other
backup strategy. Include information on deter-
equipment.
mining what to back up, how often to back up,
as well as the proper storage facility for • Understand common sources of exposure to
backups. water and simple countermeasures.
Understand some of the most common vulner-
abilities and how they affect different asset
Domain 9: Law, Investigation, classes differently.
INTRODUCTION 9
NOTE
Exam-Taking Advice Although this
book is designed to prepare you to
More extensive tips are found in the “Study and Exam take and pass the CISSP certification
Prep Tips” section, but keep this advice in mind as you exam, there are no guarantees. Read
study: this book, and work through the ques-
á Read all the material—The CISSP domains are tions and exercises. When you feel
confident, take the practice exam and
broad, and no official list of objectives is pub-
additional exams provided in the
lished. Instead, any applicant can obtain an
PrepLogic test software. Your results
(ICS)2 study guide that defines the domains and should tell you whether you are ready
an extensive recommended reading list. You can for the real thing.
obtain your copy directly from www.isc2.org.
When taking the actual certification
Distributing the guide is not permitted. exam, make sure you answer all the
á Do the Step By Steps and complete the questions before your time limit
exercises in each chapter—They will help you expires. Do not spend too much time
clarify the concepts introduced in the text. on any one question. If you are
unsure about the answer to a ques-
á Use the exam questions to assess your tion, answer it as best you can; then
knowledge—Don’t just read the chapter content; mark it for review when you have fin-
use the exam questions to find out what you ished the rest of the questions.
know and what you don’t know. If you are strug-
gling, study some more, review, and then assess
your knowledge again. Remember that the primary object is not to pass the
exam, but to understand the material. When you
á Review the objectives—Develop your own ques- understand the material, passing the exam should be
tions and examples for each objective listed. If
simple. Good luck!
you can develop and answer several questions for
each objective, you may find the exam less diffi-
cult to pass. If you develop a question for which
you can’t find the answer in the book, do go
ahead and find the answer elsewhere. The CISSP
exam is constantly evolving, and so is the infor-
mation security profession. This additional
knowledge may prove to be valuable, perhaps
essential, to you some day.
01 078972801x Intro 10/21/02 3:38 PM Page 10
02 078972801x Part1 10/21/02 3:39 PM Page 11
I
P A R T
EXAM PREPARATION
5 Cryptography
7 Operations Security
10 Physical Security
02 078972801x Part1 10/21/02 3:39 PM Page 12
03 078972801x CH01 10/21/02 3:39 PM Page 13
OBJECTIVES
1
. With any organization, there is continual change
occurring, and security is continually changing and
must be updated periodically. Access control is no
exception and must be kept up-to-date and admin- C H A P T E R
istered on a regular basis.
Access Control
Systems and
Methodology
03 078972801x CH01 10/21/02 3:39 PM Page 14
OBJECTIVES
OUTLINE
Passwords 35
Chapter Summary 53
One-Time Passwords 35
Challenge Response 36
Biometrics 36 Apply Your Knowledge 55
Tickets 36
Single Sign-On 37
03 078972801x CH01 10/21/02 3:39 PM Page 16
S T U DY S T R AT E G I E S
. Read each section carefully and make sure you . After you complete the chapter, look at how
understand the concepts. each of the concepts is interrelated and how
. Apply the concepts that are described in each together they result in a comprehensive security
section to see how they fit or how they could fit solution.
into your organization.
03 078972801x CH01 10/21/02 3:39 PM Page 17
INTRODUCTION
A key part of security is controlling access to critical information.
This chapter examines the various schemes used for accomplishing
this. In talking about access control, it is important that we distin-
guish between authentication and access control. Some people think
of the two terms as being similar or interchangeable, but they are
quite different. Passwords and similar techniques usually provide
only authentication—they identify a user and verify that the user is
who he says he is. Just because you know that a certain person is
actually Bob does not mean that Bob should have access to every
piece of data on your network. That is where access controls come
in. After you properly identify a user, you then want to control what
access he is given on the system. In most cases, you want to give the
user the least amount of access he needs to do his job and nothing
else. This concept is often referred to as the principle of least
privilege. It gives you the power of combining authentication with
access control.
Both authentication and access control are needed to achieve a high
level of security. One without the other leaves huge security holes that
allow an attacker a high chance of compromising a target’s network.
03 078972801x CH01 10/21/02 3:39 PM Page 18
Legislation of Privacy and Security place, it might take a while for an attacker to compromise an account
Because privacy of personal data and guess a password, but once he does, he has full access to the sys-
and the security of the systems that tems. When no access controls are in place, there is nothing stopping
contain this and other sensitive infor-
anyone from getting to any piece of data that he wants. Also, by hav-
mation are of increasing concern, leg-
ing only authentication, an internal user is allowed full access, which
islation has been written to address
the issue. The Health Insurance
could cause a lot of damage either intentionally or accidentally. I have
Portability and Accountability Act of been involved with more incidents that were caused by accidents
1996 (HIPPA, http://cms.hhs.gov/ because legitimate users had more access than they should have had
hipaa/) dictates how patient data and accidentally caused major network problems.
should be protected at hospitals,
Looking at it from the other perspective, having access control with
insurance companies, and other
no authentication means that people are limited to what they can do
places it might be collected and used.
The Gramm-Leach-Bliley Act includes
on your network. However, because you have no way to identify a
regulations that “…require clear dis- given user, anyone could impersonate any other user to get the
closure by financial institutions of access he needs. So, even though Bob has limited access, he could
their privacy policy regarding the shar- impersonate the root account—which has full access—and do what-
ing of non-public personal information ever he wants on the system. Nothing would stop Bob from doing
with both affiliates and third parties.” this because no authentication is done against anyone, so the system
See http://www.senate.gov/ believes whatever the user tells it. This, as you can imagine, is
~banking/conf/grmleach.htm for extremely dangerous and hardly ever done. It is more common to
more information. see authentication without access controls, rather than access con-
trols with no authentication.
ACCOUNTABILITY
Discuss the relationship between access control and
accountability.
Would anyone follow the speed limit if we knew for a fact that there
was no chance we would be pulled over? If there is no chance that
we could be held accountable for our actions, there is a good chance
that most people would drive as fast as they possibly could. Now,
there are certain people, like my dad, who would drive 55mph no
matter what the speed limit was, but most of us are kept honest
because we know there is a chance that there could be a cop around
any corner who would hold us accountable by giving us a ticket.
This same concept of accountability is critical when it comes to
security—mainly access controls.
03 078972801x CH01 10/21/02 3:39 PM Page 19
Access controls are important, but how do you determine the proper
access controls an individual or entity should have on a system.
There are two general types of access control: discretionary and
mandatory access controls. They are often referred to by their
acronyms: DAC (discretionary access control) and MAC (mandatory
access control).
What usually occurs with MAC is that both the hierarchical levels,
such as secret and top secret, are combined with compartmentation
to provide a finer granularity of control. When the system enforces
MAC, it first makes sure you have a level equal to or greater than the
data you are trying to access and that you have all the proper com-
partmentations to access the data. For example, if Bob has top secret
access with HR and engineering compartments, he can access data at
the secret level with no compartments. He can also access secret data
with an HR compartment. However, if Bob tries to access a system at
the secret level with a finance compartment, the system will not let
him have access. The level of access is appropriate, but because he is
missing a compartment, the system denies him access to the data.
One other key point is that when we think of MAC, we are so
accustomed to government organizations that we immediately think
secret, top secret, and so on, but that does not have to be the case.
You can come up with whatever levels of access you want. For exam-
ple, you could have company proprietary, company sensitive, and
executive staff only. These would roughly be equivalent to confiden-
tial, secret, and top secret, respectively.
If you want information to flow both ways, you have to explicitly put
two arrows in place. For example, if you wanted to have a two-way flow
relation, you would write the following:
confidential → confidential
confidential ← confidential
{finance, engineer} Because lattice-based access controls are usually drawn as directed
graphs, a lattice is considered a graph that follows the previous set of
rules. Let’s look at a simple example of a lattice to emphasize what
{finance} {engineer}
we mean by lattice-based access controls. Figure 1.1 illustrates the
concept of compartments within an organization. Let’s say that there
{} is a finance compartment and an engineer compartment. For this
example, the security class would consist of two elements (finance,
FIGURE 1.1 engineer).
A simple lattice-based access control model.
Let’s go through the four properties to make sure Figure 1.1 is a lattice.
The first property is that the security class must be finite and not
change. In this case, the security class consists of only two elements—
{finance, engineer} finance and engineer. The second property says it must be a partial
order, which implies reflexive, anti-symmetric, and transitive. Typically,
when drawing a lattice, you do not draw the reflexive or transitive
{finance} {engineer} arrows because they clutter the diagram, but they are implicitly implied
by the model. So, information can flow from finance to finance even
{} though it is not explicitly shown with an arrow. Therefore, the reflexive
property is true for this diagram. Information can also flow from {} to
{finance, engineer}, so the transitive property also holds true.
FIGURE 1.2 For it to be a partial order, the last property we have to look at is
Lattice shown with reflexive and transitive anti-symmetric. In this case, all the information flows are one way,
edges added.
so the anti-symmetric property is true—meaning this lattice is a par-
tial order. For clarification, the diagram could also be drawn with
the reflexive and transitive arrows explicitly added, as shown in
Figure 1.2.
03 078972801x CH01 10/21/02 3:39 PM Page 25
Next, you have to ensure that there is a lower bound or a null set
from which everything else is derived. In this case, because the {}
contains nothing, this is the lower bound. The final criteria is that
an upper bound exists, composed of all the elements in the security
class. Because only two items are in the security class, the upper
bound {finance, engineer} contains them both. Therefore, the dia-
gram is a lattice and does indeed enforce information for using
lattice-based access controls.
For those of us who have worked in government facilities, lattice-
based access controls might seem easy to understand, but it’s impor-
tant to understand the mechanics behind it.
By creating a single group that has all the possible access a senior
engineer might need, some people have more access than what they
need to perform their jobs. This breaches the principle of least privi-
lege. Therefore, groups are typically created based on certain levels of
functionality; then, a given position might have three to four groups
associated with it. When a person is given a new role or position
based on what functions he will perform, he is added to the appro-
priate groups.
This denies access from the 10.x.x.x network and allows any other
traffic. Essentially, any IP address whose first octet is 10 is denied
access, but any other IP address is allowed or permitted.
IN THE FIELD
Notice the key word when someone leaves the company—you dis-
able her account; you do not delete her account. It is a common
mistake to delete accounts when people leave the company.
Instead, you should disable the account for a certain period of
time. Then, after an account has been disabled for a certain peri-
od, you can delete it. This is done for two main reasons. First, it is
common for people to leave a company or think they are leaving a
company and then decide to come back to work for that same
company. Second, some operating systems remove access to
resources when you delete an account. If a company has a market-
ing employee who has left the company and she is being replaced
by a new employee, you want the new employee to have the same
access as the old employee. If the old employee’s account was
deleted, you have no idea what access she had. So, assigning
access to the new employee is more difficult. On the other hand, if
you just disabled the old employee’s account, you could rename it
to the new employee so he instantly has all the same access the
previous employee had.
Account Administration
When a new account is set up, the administrator needs to assign a
temporary password for the account. It is recommended that you
create an initial random password for each account as opposed to
using a standard account across a company. If a standard password is
used across a company then whenever a new account is created or a
password is reset on the account, anyone who knows the standard
password could get access to the account. It is better to generate a
unique password for each account; then when the user needs to log
on, she can call the help desk to get the new password.
03 078972801x CH01 10/21/02 3:39 PM Page 29
The first time the person logs in with the temporary password she is
forced to change her password to something that only she knows.
Access control works only if a single person is the only one who has
access to a given account or is the only one who knows the pass-
word. If multiple people have access to the same password, you lose
accountability for who is doing what on your systems and network.
Keeping a one-to-one relationship between accounts and employees
is an easy way to track who is doing what. You monitor and keep
track of access controls through logging. It is recommended when
logging events to log both success and failures. Some administrators
log only failures, but this does not give you sufficient information to
make decisions. For example, if you logged only failed events, you
would not have the complete picture of what is happening on your
network. Let’s say your logs show five failed logon attempts for Sally,
followed by five failed logon attempts for Bob. You know that some-
one is trying to gain access, but you do not know whether he actual-
ly got into Sally’s account or whether he got tired and moved on to
Bob’s. Only by showing both failed and successful attempts can you
tell whether someone actually gained access to a given account.
When assigning permissions to accounts, you should give someone
the least amount of access he needs to do his job, and nothing else.
Notice that you should give people enough access to do their jobs
and take away all other extraneous access to this system.
Also, for access to sensitive information, you should maintain a
separation of duties. This involves taking sensitive access and breaking
it up among several individuals. If access is needed to this informa-
tion, multiple people must participate to gain access. This is often
seen in military movies where access is needed to nuclear weapons.
Two people must both insert their keys and turn them at the same
time to get the necessary access.
Bell-LaPadula
The Bell-LaPadula (BLP) model deals with the flow of information
from a confidential standpoint. Remember that the definition of
NOTE
Simple Security
The simple security rule deals with reading information and ensures
that someone cannot read information they do not have access to read.
The simple security rule states that a principal (P) can read an object
(O) only if the security label of P is higher than (or equal to) the
security level of O. This means that information can flow from secu-
rity level O to security level P. An example might help explain this:
03 078972801x CH01 10/21/02 3:39 PM Page 31
Star Property
The star, or *, property deals with the writing of information. It
states that a principal (P) can write to an object (O) only if the secu-
rity label of O is higher than (or equal to) the security label of P.
This means information can flow from security label P to security
label O. This rule states that a user can write to an object only if the
security label is equal to or greater than his own. If a principal has a
security label of secret, he can write to an object with a security label
of secret or top secret but cannot write to an object with a label of
confidential or unclassified. This might seem a little strange, but it is
meant to prevent the leakage of information.
The star property is meant to protect against write-down Trojan hors-
es. Let’s say that a principal with a confidential security label wants to
read a secret document, but the system does not allow him. Someone
could insert a Trojan horse into a program that a principal who has a
secret security label uses. When he does his work, this Trojan horse
works in the background, reads the secret document, and writes it to
a confidential document. The evildoer who had only confidential
access could now read the information because the Trojan horse put
the information in a document with a security label that the principal
could access. The star property prevents this from happening.
However, this property is still a little dangerous because it allows a
principal to write to a higher level, which could result in an integrity
problem. Let’s say that a principal has a secret security label and a
document is labeled top secret. Even though the principal cannot
read the document, he can still write to the document—despite the
fact that he does not know what it says. So, this principal could
overwrite critical pieces of the document, making the document no
longer accurate and resulting in an integrity problem. The principal
could also overwrite all the information so no one can read it, result-
ing in a denial-of-service attack.
03 078972801x CH01 10/21/02 3:39 PM Page 32
Biba
The Biba model is similar to BLP except for the fact that, instead of
dealing with confidentiality, it deals with integrity. It does not care
whether someone can gain access to information she should not have
access to as long as she cannot change the content so that it is no
longer accurate. Biba has the same two rules BLP has:
á Simple security deals with reading.
á The star property deals with writing.
The big difference, which seems confusing at first, is that both rules
are the opposite of the BLP model.
With BLP, the rule is that you cannot read up—a principal cannot
read an object that has a higher security label. Because Biba deals with
integrity, the rule is switched to not read down. The simple security
rule with Biba says that a principal (P) can read an object (O) only if
the security label of O is higher than the security label of P.
The star property of Biba says you cannot write up, which once
again is the opposite of BLP. The star property with Biba says a prin-
cipal (P) can write to an object (O) if the security label of P is higher
than the security label of O.
If you examine both models, they are equivalent except for the fact
that BLP is a bottom-up model, which says that information can
flow from the bottom to the top. Biba, on the other hand, is a top-
down model, which means information can flow from the top
down.
03 078972801x CH01 10/21/02 3:39 PM Page 33
R E V I E W B R E A K
Summary of BLP and Biba
I would recommend remembering the following key points about
BLP and Biba:
BLP model:
. Simple security
. Simple property
. Deals with confidentiality
Biba model:
. Deals with integrity.
. The rules of Biba are the opposite of BLP.
Liptner’s Lattice
As stated earlier, most of the models we have talked about relate to
government settings. These models, however, can easily be applied to
commercial settings, and that is exactly what Liptner did. He
applied lattices and the principles we talked about to non-military
examples. Essentially, he changed the labels from terms such as con-
fidential and secret to system programmers, production code, and so on.
Non-Inference Models
Non-inference models deal with examining the input to and output
from a system and seeing whether you can infer any information
that you should not have access to. These models tend to be more
theoretical in nature, but they are still beneficial to understand. The
general principle is that you have a system with several inputs and
several outputs, and if you modify or purge any of the inputs, the
outputs should remain unchanged. The reason for this is if you can
modify an input and a one-to-one relationship exists between inputs
and outputs, an output would change and you could start to infer
information about the system.
03 078972801x CH01 10/21/02 3:39 PM Page 34
Passwords
A password is typically a word the user picks to prove he is the owner
of the account. The problem with typical passwords is users tend to
choose easy-to-guess passwords. Even with password policies, users
still pick passwords that are composed of dictionary words because
they’re easy to remember. It is recommended that you encourage
users to pick passwords that are long; contain lowercase letters,
uppercase letters, numbers, and special characters intermixed; and
contain no dictionary words within.
Because users are ultimately in control of what passwords they
choose, authentication methods based on user-derived passwords
tend to be weak. Even if a company automatically derives the pass-
word for the user, this is still not considered strong because the pass-
word is now hard to remember, so most people will write it down.
This defeats the purpose of having a strong password.
One-Time Passwords
One-time passwords solve the problems of user-derived passwords. With
one-time passwords, each time the user tries to log on she is given a
new password. Even if an attacker intercepts the password, he will not
be able to use it to gain access because it is good for only one session.
One-time passwords typically use a small hardware device (key fob or
SecureID) that generates a new password every minute. The server also
has the same software running, so when a user types in her password
(off the device), the server can confirm whether it is the correct pass-
word. Each time the user logs on she has a new password, so it is much
more secure. The problem, however, is that users have to ensure they
have the device with them at all times; otherwise, they cannot log on.
03 078972801x CH01 10/21/02 3:39 PM Page 36
Challenge Response
An alternative to one-time passwords is challenge response schemes.
Instead of having the device just blindly generate a password, a user
identifies himself to the server, usually by presenting his user ID.
The server then responds with a challenge, which is usually a short
phrase of letters and numbers. The user types the challenge into the
device and, based on the challenge, the device responds with an out-
put. The user then types that output in as his password to the server.
This scheme is slightly more complicated, but it allows the password
to be based on changing input rather than just time. Also, because
the input is not based on time, you do not have to worry about
clock skew problems, which happen with one-time passwords. If the
clock on the server or the device slowly gets out of sync, eventually
the user will be unable to log on to the system.
Biometrics
Both one-time passwords and challenge response schemes have the
problem that the user has to carry a device around with him and if
he loses the device, he can no longer log on to the system.
Biometrics authentication is based on something you are, so you do
not have to worry about forgetting a password or leaving a device at
home. Several types of biometric devices are available, some of
which can be used to authenticate fingerprints and hand, face, and
retinal scans. Biometrics are covered in detail under the Physical
domain and are mentioned here just for completeness.
Tickets
Another way to authenticate is for the system to give you a ticket,
and if you can unencrypt the ticket, you can gain access. These
schemes rely on the exchanging of keys prior to authentication.
03 078972801x CH01 10/21/02 3:39 PM Page 37
One of the common programs that does this is Kerberos. Before you
can use Kerberos, you must exchange a secret key with the server.
Only you and the server know the key. When you connect to the
system, you just tell the server your user ID, and the server sends
back an encrypted ticket. If you’re who you say you are, you will
know the key and be able to unencrypt the ticket, thereby gaining
access to the information; otherwise, you will be denied access.
Ticket schemes do not scale very well, which is why they are less
common than the other approaches.
Single Sign-On
Single sign-on (SSO) is another scheme for authentication when you
have a large number of applications that all need to authenticate the
same user. Instead of requiring the user to log on multiple times, she
logs on once to a central server and that server authenticates her to
the other applications automatically. This lessens the burden on the
user because she logs on only once, but it increases the overall secu-
rity. With SSO, if someone is able to compromise someone else’s
information, he can gain access to everything. Also, if someone stays
logged on and forgets to lock her workstation when she walks away,
anyone sitting down at her workstation can have full access to every-
thing without ever having to provide a password. SSO shows the
balance that you need to achieve between security and functionality.
Centralized/Remote Authentication
Access Controls
RADIUS and TACACS+ are usually used interchangeably for
remote access controls. They are typically used when users are
required to authenticate to different applications and you do not
want to manage a separate listing of user accounts for each applica-
tion. Instead, you would point all the applications to your RADIUS
or TACACS+ server to authenticate the users. This way, you have to
administer and manage only one set of accounts and credentials.
Another area where you would use RADIUS or TACACS+ is when
you have an application or a device that needs to authenticate users
but no built-in facility exists for doing this. A good example of this
is Cisco routers. The key thing to remember is that if you want to
have a centralized access control server for authentication and autho-
rization, RADIUS and TACACS+ provide the facility for doing this.
Most of the time, Cisco recommends using TACACS+ with its
routers and devices.
Each user who connected to the network was responsible for setting
up access controls for her resources. Essentially, if someone acquired
access to your resources and he was not supposed to, it was your
fault for not setting up the access controls properly. This, however,
has its own set of problems because now you are trusting that each
entity responsible for access control does the right thing. For a large
organization, this can be a very scary proposition.
In reality, what happens in most situations is a compromise—and
access control is no exception. Most organizations tend to use a hybrid.
Depending on the size and structure of the organization, they might
set up several zones or domains (each with a centralize access control
for that domain). Then, to allow each of the domains to access
resources in the other domains, they set up trust relationships between
the two domains. Let’s look at domains and trust in a little more detail.
Domains
A domain in its most basic form is a group of computers under the
same administrative authority. It is a way to group systems together
to make them easier to maintain and control. From an access con-
trol standpoint, a domain is a group of systems that all authenticate
to a central system or group of systems.
A domain is modeled after the centralized access control model. You
usually have several domain controllers that can authenticate users to
the network and authorize them to access resources. This way, if one
system goes down, it does not present a single point of failure. If each
domain controller maintained its own database, things would quickly
get out of sync and very messy, so instead a single primary domain
controller maintains the master copy of users and passwords. Other
domain controllers can authenticate users, but any changes to accounts
must be done against the primary domain controller. You might think
that by doing this, you create a single point of failure. You do, and you
NOTE
Domains might seem okay, but what happens when you have a user
in one domain who wants to access a server in another domain? This
is where trust comes into play.
Trust
If your organization sets up a hybrid model with a bunch of
domains, the questions arises, “How does a user in one domain
access resources in another domain?” You do this by setting up trust
relationships between domains. For example, if you set up a full trust
relationship between domain A and domain B, anything in one
domain can access something in the other domain.
What does setting up a trust really mean? A trust says that you trust
one domain to provide the same level of access control that another
domain does. So, if it authenticates a user and thinks that user is
worthy enough to access data on her own domain, she can access
data on your domain. It is similar to when you go on vacation and
leave a key with your neighbor. You would only give the key to a
neighbor you trust. This means you expect the neighbor to protect
your house just like he would his own house.
When we talk about trust relationships, we sometimes talk about a
full trust or a one-way trust. For example, with the full trust relation-
ship between domain A and B, A’s users can access B’s data and B’s
users can access A’s data. However, sometimes you might want to
only set up a one-way trust. I have some neighbors who trust me,
but I do not trust them. I have a key to their house, but they do not
have a key to my house. This is considered a one-way trust, and a
similar thing can be done with domains. With a one-way trust, A
might trust B but not the other way around, so you set up a one-
way trust from domain B to domain A. This says domain A trusts
domain B, but domain B does not trust domain A. So, domain B’s
users can access domain A’s data, but domain A’s users cannot access
domain B’s data. As you can see, you can get very creative with trust
relationships.
METHODS OF ATTACKS
Describe common methods of attack.
03 078972801x CH01 10/21/02 3:39 PM Page 41
Brute-Force
With a brute-force attack, an intruder tries all possible combinations
until she guesses the right one. Brute-force attacks are most popular
with cracking passwords. A lot of people do not realize that all pass-
words are crackable, so it is just a matter of time. If an attacker tries
every possible combination, she will eventually guess the correct
password. Usually with brute-force attacks, an attacker gains access
to the encrypted passwords and downloads them to her local system.
Then she tries every possible combination until she guesses the pass-
words. Remember, if an attacker has the encrypted passwords for
every user on your system, she does not have to crack every pass-
word to get access—she only has to crack one.
A subset of the brute-force attack is the dictionary attack. If users
have really strong passwords, attackers need to try every possible
combination until they get access. But as was already discussed, users
don’t typically choose strong passwords. Most users pick very easy
passwords based on dictionary words. In that case, instead of trying
every possible combination, an attacker would try every word in a
dictionary. This is a much smaller subset than every single possible
combination, and because the attacker needs to crack only one or
two passwords, her chance of success is very high.
03 078972801x CH01 10/21/02 3:39 PM Page 42
Denial-of-Service
When most people think of attacks against a system, they think of
someone trying to gain access. However, in some situations prevent-
ing others from gaining access can be just as useful. These types of
attacks are denial-of-service attacks. If you are at a client’s site, giving
a demo to close a sale and you cannot get access to your system, that
can be just as embarrassing and damaging as if your competition
stole your material. There are several ways someone can launch a
denial-of-service attack against access control. Most accounts are set
up so that after a certain number of failed logon attempts, the
account is locked. In this case, an attacker can just try to log on to
every account, giving bad passwords, and lock every account on the
system so no one can gain access. The other way is to flood the pipes
so no one can even get access to the server.
This attack is popular with dial-up accounts. If an attacker knows
that a company provides dial-up access, he keeps dialing the number
and connecting to the modem pool from different computers.
Eventually, he uses up all the phone lines, and legitimate users will
be unable to gain access to the system.
Spoofing
When you were young and wanted to go to a club or bar with your
friends, what did you do? You acquired a fake ID so you could pre-
tend to be someone else who was older and could get access to a
facility that you normally should not have access to.
When you acquired that fake ID, you were spoofing your identity.
The same thing can be done with access control. An intruder would
not normally be allowed access to your system. So, if he tried to
authenticate as Joe Attacker, your system would deny him access.
However, if he acquires the one-time password device for a given
user and acts like that user (or spoofs that user), the system would
give him access because the system thinks he is a legitimate user and
does not know that he is really an attacker. This is the problem with
access control that is based solely on something you have. If you
have the device, the system will allow you in, but as you can see, it is
very easy for someone else to acquire and gain access.
03 078972801x CH01 10/21/02 3:39 PM Page 43
Sniffing
Some systems require that you have a user ID and a password to
gain access, but they send the password over the network in plain
text. An attacker can put a sniffer on the wire, which is a passive
attack that allows her to watch the traffic going over the wire.
Because the plain text is not encrypted, the sniffers can read the
password and user ID and then use those passwords to gain access.
It is very critical that any network authentication scheme encrypts
the password before it sends the password over the wire.
MONITORING
Explain intrusion detection.
A key motto of security is “prevention is ideal, but detection is a
must.” As long as you have a connection to an untrusted network
like the Internet, you will not be able to block every attack. Some
attacks will sneak in because you have to allow traffic to flow from a
business standpoint. Even if you allow only port 80 traffic into a
certain system, an attacker can still attack over that port, and your
prevention measures (such as firewalls) will allow it through because
they allow Web traffic to that given host. Therefore, you need some-
one or something to detect attacks in a timely manner. This is done
by monitoring your systems and network traffic looking for unusual
patterns or things that would be indicative of an attack.
Intrusion Detection
The field of study dealing with monitoring networks and hosts
and looking for attacks is known as intrusion detection. The critical
thing to remember with intrusion detection is that you are passively
monitoring a network or hosts looking for signs of an attack.
03 078972801x CH01 10/21/02 3:39 PM Page 44
Types of Intrusions
To better understand ways IDSs work, let’s look at some of the types
of intrusions and the impact they could have on your network.
Intrusions can be categorized in many ways, but the following is one
way of addressing the problem:
á Host versus network
á Passive versus active
á Known versus unknown
Intrusion Prevention
The term intrusion prevention has undergone changes in its meaning
since early 2002. Prior to 2002, the main way to prevent an intru-
sion was to closely control access through strong identification and
authentication. For example, instead of using weak passwords to
gain remote access, you would use one-time passwords or biometrics,
which are much harder for an attacker to defeat. Most of the empha-
sis has been on authentication because identification is usually
through a password, which most companies make very predictable.
During the course of 2002, intrusion prevention has been used to
describe a new class of systems that have grown out of the intrusion
detection market. Firewalls are active devices in which traffic passes
through. Usually based on header information, traffic can be either
blocked or allowed. Intrusion detection systems were passive devices
that would alert when an attack occurred but not actually stop the
traffic. Intrusion prevention systems are a mixture of both. They work
like a typical IDS looking for possible attacks on a network, but they
are also active devices like firewalls through which traffic must pass. If
the IDS senses an attack, instead of just alerting like it previously did,
it can now actually stop the attack by blocking the traffic or prevent-
ing the malicious behavior by enforcing rules and policies.
Signature Matching
Signature or pattern matching IDS maintains a database of known
attack signatures. When it looks at traffic for NIDS or at log files for
HIDS, it tries to find a match for each of these signatures. If it finds
a match, it sends off an alert that the system is being attacked. This
approach is similar to how virus scanning software works. The virus
software maintains a database of known viruses and looks for those
patterns across all files.
03 078972801x CH01 10/21/02 3:39 PM Page 47
Anomaly Detection
The concept behind anomaly detection is to determine what is nor-
mal traffic for a company and anything that falls outside that norm
is deemed an attack and is dropped. The positive aspects of such an
approach are very obvious. Because there are no signatures, you do
not have to worry about constantly updating the system with new
signatures. Also, because it is not based on signatures, it can detect
both known and unknown attacks on a system. The disadvantage is
figuring how you should determine what is normal. Normal would
be different for every company, and even within a company it is
constantly changing over time. So, you need some way to learn the
network for a given company and constantly change it over time.
Most systems are based on signature detection with some anomaly
detection.
Now that we have looked at the main types of IDS, we will briefly
cover how they operate. After an IDS determines that an attack has
been detected, it sets off some type of alarm. Depending on the
severity, this alarm can range from putting a message on a screen to
sending an alert to someone’s pager. Some IDSs can actually send
messages to firewalls that will actually update their rule sets so that
they can block these attacks in the future. Automatically changing a
rule set on a firewall is very dangerous because it opens the door for
an attacker to spoof an IDS and change the rule set. Even if the
updates allow an IDS to only block traffic, an attacker could still
launch a denial-of-service attack against a company by simulating an
IDS and setting up rules to block traffic coming from anywhere.
03 078972801x CH01 10/21/02 3:39 PM Page 48
PENETRATION TESTING
One error that companies often make is that they set up access con-
trols and then test the access controls to make sure they are working
properly. The problem with how companies approach this is that
they usually test the positive but do not test the negative.
What I mean by that is that after they set up access controls, they
test and make sure users can get to the resources they need to access.
So, if Bob needs access to server A and C, they would test and see
whether Bob could access both servers. If he could, they then con-
clude that the access controls have been set up properly. The prob-
lem with this is testing the negative—what else can Bob access? If
Bob can also access server D, the company has given Bob too much
access and is not adhering to a principle of least privilege. Testing
the positive is easier because it is a smaller amount of testing. When
you test the negative, you have to test all the possible combinations,
which can be time-consuming. This is one reason companies do not
do it.
The other reason they do not test the negative is if it is done incor-
rectly, there is less of a pain factor. For example, if Bob is supposed
to have access to server A and does not have access, he might get
upset, complain, and cause a lot of problems. The company will also
get upset because they are paying Bob to do a job, and you are pre-
venting him from doing that job. If Bob is not supposed to have
access to server D and he does, there is a good chance he will not
even notice—and if he notices, he will probably not tell anyone.
Instead of trying to manually test the negative, a good alternative is
to perform penetration testing to check the access controls of a com-
pany. Penetration testing is sometimes referred to as ethical hacking
because you are trying to simulate how an attacker would break into
a system and find the holes before an attacker does. The idea is that
if you try to break into your own systems, you can find weaknesses
in your access control policy and fix them before a real attacker
breaks in.
03 078972801x CH01 10/21/02 3:39 PM Page 49
Ethical Issues
Whenever you talk about breaking into a system, there are always
ethical issues surrounding this. Is it ethical to try to break into a com-
pany even if you are not going to do harm? Is it ethical to probe a
system even if you do not have permissions? The first rule of thumb
is to always get permission in writing before you do any form of pen-
etration testing. Before you even think about doing anything against
a company, you always need to get permission in writing. A point
that some people bring up is that a company does not always want to
know when you are doing a penetration test. If the people responsi-
ble for security know on a given day at a given hour someone is
going to try to break in, there is a good chance they might temporar-
ily increase their security to skew the test results. Even if this is
what a company wants to do, you can still get permission in writing.
03 078972801x CH01 10/21/02 3:39 PM Page 50
It can say that over the next five days, this will be performed, or it
can be signed by the CTO who decides not to tell his staff this is
being done.
I keep emphasizing the “in writing” part of this discussion. Verbal
contracts are binding IF you can prove them. But proving you have
a verbal agreement to do something is very difficult. If you have a
signed piece of paper, the opposing party will have a hard time deny-
ing that they agreed to something. Always err on the side of caution
and get permission in writing.
Some people argue that if the systems are connected to the Internet
and you are only going to probe and not do any damage, you don’t
need to get permission. This tends to be a big ethical issue at securi-
ty conferences, but to me the answer is simple: The system does not
belong to you. It is someone else’s system, and if you want to do
something to it, you need to get the owner’s permission. The other
problem is that, because you are remotely probing a system, you
might not intend to do any damage but by accident might crash or
reboot the system. If you get the company’s permission, it might
have you perform a penetration test during low-volume hours so if
something happens, the financial impact is minimal. If you just
decide to probe a company without permission, you could crash the
system and cause a large financial loss to a company.
STEP BY STEP
1.1 The Process for Breaking into a System
1. Perform passive reconnaissance.
2. Perform active reconnaissance (scanning).
03 078972801x CH01 10/21/02 3:39 PM Page 51
Common Tools
NOTE
One of the most common port scanners is nmap. nmap not only
determines which ports are open, but also performs OS fingerprint-
ing and other advanced features such as sending out decoy packets
to spoof who the real attacker is.
C A S E S T U DY : T H E S M A R T C A R D C A S E
ESSENCE OF THE CASE SCENARIO
The following are the essence of the case: ABC Company (not a real name) recently
. Eventually it was determined that intrud- instituted a smart card program. All employees
ers had obtained a certificate that are required to use smart cards for access to
enabled them to install their own certifi- data systems. Authentication and identification
cate authority (CA) and produce smart information is placed on the smart card and
cards trusted by the ABC Company’s com- used to log the user onto the computer. A smart
puter systems. card and associated PIN number are necessary
for logon.
. Among other capabilities, the CA is the
computer in the public key infrastructure Smart cards are issued by the human resources
(PKI) that issues certificates. In the ABC department when an employee is hired and can
PKI, the certificates are used on smart be reissued as required. The cards are also used
cards, and in this particular PKI implemen- for access to the building and contain a picture
tation, a hierarchical structure is allowed. of the employee. Cards must be controlled by the
In other words, the root—or first CA—can employees at all times. If an employee leaves his
produce a certificate that authorizes desk, he must remove the card from the smart
another CA. Smart cards produced by card reader and carry it with him for identifica-
either CA can then authorize access to tion. Removing the smart card locks the comput-
computer systems. er and prevents unauthorized users or intruders
from accessing systems when an employee is
. The intruders were able to obtain a certifi- away from his desk. This also prevents smart
cate from the first CA, install their own card sharing because the card must be in the
CA, and produce smart cards that they reader for the computer session to remain
then used on the system. accessible to the user.
This excellent system of access control has
many features that make it desirable. The auto-
matic logoff, identification requirements, building
access requirements, and one-user-one-device
requirement all make it an outstanding design.
03 078972801x CH01 10/21/02 3:39 PM Page 53
C A S E S T U DY : T H E S M A R T C A R D C A S E
Unfortunately, a routine audit has disclosed that A N A LY S I S
multiple logons by the company’s vice president This is an example of why exotic and complicated
were made when she was on vacation. She was technical systems are not the end all and be all
able to prove that her smart card was in her pos- of security. In this case, the root was not appro-
session at the time the intruder was using a priately protected. Even though PKI can provide
smart card issued to the VP’s account to access a strong authentication and access control sys-
the network. Further research uncovered the use tem, it is reliant on human beings to design a
of multiple “fake” smart cards to access the secure PKI.
accounts of other privileged users and thus pro-
vide access to other sensitive documents.
CHAPTER SUMMARY
Access control compliments other areas of security but is critical to
KEY TERMS
achieving defense in depth across your organization. Without access
controls, you are saying that after someone gets access to a system, • Access controls
he can do whatever he wants because there is nothing restricting his • ACLs
actions. This chapter outlined various approaches to access control
and how it can be achieved across an organization. • Bell-LaPadula
• Biba
• Brute-force attack
• Denial-of-service attack
• Discretionary access control (DAC)
• IDS
• Lattice-based access control
• Liptner
• Mandatory access control (MAC)
03 078972801x CH01 10/21/02 3:39 PM Page 54
CHAPTER SUMMARY
KEY TERMS
• Nessus
• Non-inference
• Penetration testing
• Role-based access control
• Rule-based access control
• Signature matching
• Sniffing
• Spoofing
• SSO
• Star property
• Trusts
03 078972801x CH01 10/21/02 3:39 PM Page 55
A P P LY Y O U R K N O W L E D G E
Exercises 4. This can be a rule-based or a role-based system of
access control depending on its implementation.
1.1 Rule-Based or Role-Based: Which Is It? Clearly, default groups are granted access depen-
dent on presumed roles. Additional groups can
Examine the access control system of a Windows NT also be assigned roles and granted associated
or Windows 2000 system. Determine whether it is rights and access. However, there is no enforce-
role-based or rule-based, and explain why. ment of these roles because enforcement is based
Estimated Time: 20 minutes on human interaction. If the policy is strict and
followed faithfully, a user is given access accord-
1. Examine the default user groups on the system. ing to the role he plays by his inclusion in a
What groups exist? Do they have specific rights group that has only the access and rights he
or access that is allowed on the system? requires to perform his functions. Rule-based
2. Determine whether additional groups can be control can also be implemented by writing rules
created. Who can create these groups? Can rights for each user’s access and implementing it by
or access be granted to these groups? assigning his individual account the right or
access outlined in the rule developed to govern
3. Determine whether individual user accounts can his behavior on the system.
be given rights and access on the system.
4. Based on your study, is this a rule-based or
role-based system of access control? Why?
Review Questions
Answers to the exercise: 1. What is the correct policy to use for shared
1. Multiple user groups exist, depending on whether accounts?
you are looking at Windows NT or Windows 2000 2. Describe the difference between discretionary
and whether the computer is a domain controller, access controls and mandatory access controls.
server, or workstation. All domain controllers have
the Administrators, Account Operators, Server 3. Lattice-based access control is a form of MAC.
Operators, Print Operators, Backup Operators, Flow operations for this type of MAC include the
Domain Guests, and Domain Users groups. Each properties of partial order, which are what?
default group has specific rights assigned to it, and 4. Collections of rules that apply to network access
access control lists on resources determine which through a router based on IP address or port are
groups have which type of access. __________.
2. Additional groups can be created and granted 5. The first time someone logs onto a new account,
rights and access to resources. she should be forced to change her password.
3. Individual user accounts can be given rights and This is for what reason?
access on the system, either on their own or by
membership in groups.
03 078972801x CH01 10/21/02 3:39 PM Page 56
A P P LY Y O U R K N O W L E D G E
6. The information access model that is meant to C. Biba
protect against write-down Trojan horses is the
D. Bell-LaPadula
_________ model. In this model a user with
high privileges will not be able to write to areas 3. Which principle makes people respond to access
where only a lower privilege is necessary. controls?
7. Explain the difference between identification and A. Accountability
authentication. B. Authentication
8. What problems do one-time passwords solve? C. Authorization
9. What is one problem with single sign on? D. Accreditation
10. What is the usefulness of TACACS+ and 4. A user can have multiple levels of access to a sys-
RADIUS? tem depending on the work that she must do. In
11. Explain how a brute-force attack can be used to a MAC system, this might mean that she could
crack passwords. log on at her highest level of access to do all her
work. What can be done to correct this limitation
12. Define intrusion detection and give an example
of MAC controls?
of where it is useful.
A. Never give a user more than one level of
13. What is the difference between host and network
access control.
forms of intrusion detection?
B. Audit the use of her access and punish her for
using her higher level access logon when it is
not necessary.
Exam Questions C. Use an access level system (compartmentaliza-
1. Which principle identifies a user and verifies that tion) that is not all inclusive—that is, a
the user is who he says he is? higher-level access account cannot access
A. Authentication lower-level resources.
B. Access control D. Only give her the highest level access logon
she needs. She can access anything she needs
C. Biba to access with this. Why give her multiple
D. Bell-LaPadula accounts?
2. Which principle determines what resources the 5. The difference between rule-based access control
user can use on the network? and role-based access control is what?
A P P LY Y O U R K N O W L E D G E
B. Rule-based access control is necessary for C. Liptner
small businesses, whereas role-based access
D. Non-inference
control is necessary for large businesses.
9. Which model deals with integrity instead of
C. Rule-based access controls assign access para-
confidentiality?
meters to user accounts, whereas role-based
access control is based on access control A. Biba
desired according to the job function of a B. Bell-LaPadula
position.
C. Liptner
D. Rule-based access controls are easy to imple-
ment, whereas role-based access controls are D. Non-inference
not. 10. Which model applies government models to
6. When assigning access to sensitive information commercial settings?
you should maintain which of the following? A. Biba
A. Separation of duties B. Bell-LaPadula
B. One account, one user C. Liptner
C. Least privilege D. Non-inference
D. Accountability 11. Which access control model deals with the infor-
7. When assigning permissions to accounts, you mation you can find out by observing the input
should give the access that the user needs and to and output from a system?
nothing more. This defines which security A. Biba
principle?
B. Bell-LaPadula
A. Separation of duties
C. Liptner
B. One account, one user
D. Non-inference
C. Least privilege
D. Accountability
8. The access control model that defines simple Answers to Review Questions
security as the reading of files and the star
property with writing of files is which of the 1. Account sharing is not allowed. When accounts
following? are shared, there is no accountability. For more
information, see the “Accountability” section.
A. Biba
B. Bell-LaPadula
03 078972801x CH01 10/21/02 3:39 PM Page 58
A P P LY Y O U R K N O W L E D G E
2. Discretionary access controls are based on human For more information, see the “Identification and
decisions. Policy determines whether a user, a ser- Authentication Techniques” section.
vice, or an application can access a resource such
8. One-time passwords solve the problem of weak
as a file or directory. It does not provide a high
passwords, or shared passwords. When passwords
level of access control because the measure of
are used, they are good only if they are known
who should have access is subjective—a human
only to the user. Often users write down passwords
gives and takes controls. Mandatory access con-
or share them. Passwords can also be cracked by
trols are done at a higher level: The computer
programs built to do so. One-time passwords are
system is in control. Entities that use the system
only good when used, thus it doesn’t matter if
are given a classification level which is associated
they’re captured or written down because they
with their accounts. Data also has a classification
cannot be reused. For more information, see the
level. The system determines access by looking at
“Identification and Authentication Techniques”
the classification of the user and the data. For
section.
more information, see the “Discretionary Access
Control” and “Mandatory Access Control” 9. Single sign-on means that one user ID and pass-
sections. word provide access to all the network resources
assigned. Unfortunately, it also means that one
3. Reflexive, antisymmetric, and transitive. For
compromise of that network ID and password
more information see the “Lattice-Based Access
means the intruder has acquired access to all the
Control” section.
resources assigned. For more information, see the
4. Access control lists. For more information, see “Single Sign-on” section.
the “Access Control Lists” section.
10. TACACS+ and RADIUS provide centralized
5. The default password used to log on might be authentication. This can be used to provide
known to others. The use of authentication and authentication to multiple applications or to the
identification to control access works only if the network from remote access. For more informa-
individual who owns the account is the only one tion, see the “Centralized/Remote Authentication
who knows its password. This also enables Access Controls” section.
accountability. For more information, see the
11. A brute-force attack is one that tries all possible
“Account Administration” section.
combinations to determine a password. Password
6. Bell-LaPadula model. For more information, see crackers often operate in this mode, trying every
the “Access Control Models” section. possible character combination until the pass-
word is matched. For more information, see the
7. Identification is the presentation of credentials
“Brute-Force” section.
that identify who the user is. The user account
ID is an identification credential. Authentication 12. Intrusion detection is the capability to detect
is the process of proving that the user is who he when unauthorized access is taking place or has
says he is, often by using a password or other taken place. This is useful because it can identify
piece of information known only to this user. an attack in progress, in which case, perhaps
the attacker’s success can be limited or his infor-
mation can be gathered for later prosecution.
03 078972801x CH01 10/21/02 3:39 PM Page 59
A P P LY Y O U R K N O W L E D G E
It is also useful because it can indicate what the Answer D is wrong because you should not be
attacker accessed and what information he cavalier about this access—when a privileged user
obtained. For more information, see the accesses an area of less privilege, she can infect
“Intrusion Detection” section. the area of less privilege. See the “Mandatory
Access Control” section for more information.
13. Host intrusion detection places agents on the
host machine and records when the host has been 5. C. Answer A is incorrect because rule-based
accessed in an unauthorized manner. Network access control more often applies to users instead
intrusion detection agents listen to all network of groups. Answer B is incorrect because even
activity and can find when any intruders have small businesses might find rule-based access con-
accessed the network. For more information, see trol difficult to manage, and answer D is incor-
the “Intrusion Detection” section. rect because rule-based access controls can be
difficult to implement when more than a few
users are present. See the “Rule-Based Access
Control” and “Role-Based Access Control”
Answers to Exam Questions sections for more information.
1. A. Answer B, access control, is the ability to con- 6. A. Answers B, C, and D are incorrect because
trol who and what resources are accessed. they are true for access control for all users, not
Answers C and D are incorrect because they are just those of sensitive information. See the
particular access control methodologies. See the “Account Administration” section for more
“Introduction” section for more information. information.
2. B. Answer A is the process of proving you are 7. C. Answer A is incorrect because it keeps a user
who you say you are, so it’s wrong. Answers C from taking advantage of his access to sensitive
and D are specific access control models, so they information—the one who writes the code does
are incorrect. not get to configure the system, and the one who
3. A. Answer B is the process of proving you are approves the purchase of vendor goods does not
who you say you are, so it’s incorrect. Answer C get to issue the checks. Answer B means that
is the process of seeing if you should get access, accounts should not be shared, so it’s incorrect.
so it’s incorrect. Answer D is incorrect because Answer D provides control over the use of
accreditation is the approval of specific criteria as resources—if you access a resource, that access
developed by an accrediting agency. See the can be recorded—so it’s wrong. See the “Account
“Accountability” section for more information. Administration” section for more information.
4. C. It might be impossible to never give a user 8. B. All other models do not have this property, so
more than one level of access control, so answer answers A, C, and D are incorrect. See the sec-
B is incorrect. Likewise, answer A might help but tion “Access Control Models” for more
will not prevent the access, so it’s incorrect. information.
03 078972801x CH01 10/21/02 3:39 PM Page 60
A P P LY Y O U R K N O W L E D G E
9. A. All other models do not have this property, so 11. D. All other models do not have this characteris-
answers B, C, and D are incorrect. See the tic, so answers A, B, and C are incorrect. See the
section “Access Control Models” for more infor- “Access Control Models” section for more infor-
mation. mation.
10. C. Answers A and B represent government access
control models, so they’re wrong. Answer D rep-
resents a generic access control model, so it’s also
wrong. See the section “Access Control Models”
for more information.
OBJECTIVES
Telecommunications
and Network Security
04 078972801x CH02 10/21/02 3:43 PM Page 62
OBJECTIVES
OBJECTIVES
OUTLINE
OUTLINE
Providing Remote Access Capabilities 119 Network Monitoring and Packet Sniffers 137
Intrusion Detection 139
Client-Based Dial-in Remote Access 119
Intrusion Response 141
Using Tunneling As a Security Method 120
Network Address Translation 142
Virtual Private Networks 121
Client-Based VPNs 121 Transparency 144
Site-to-Site VPNs 122 Hash Totals 145
VPN Protocols 123 Email Security 146
Remote Access Authentication 124 Facsimile and Printer Security 147
Common Attacks and Countermeasures 147
Networking Protocols 125 Class A Abuses 147
Class B Abuses 148
Transmission Control Protocol/Internet Class C Abuses 149
Protocol 125 Class D Abuses 150
Application Layer Protocols 126 Class E Abuses 152
Transport Layer Protocols 127 Class F Abuses 154
Reviewing TCP and UDP 129
Internet Layer Protocols 129
Fault Tolerance and Data Restoration 155
S T U DY S T R AT E G I E S
. The Telecommunications and Network Security . Try to focus your LAN and WAN study topics.
domain is a positively massive amount of data Work on mastering the various LAN devices and
to cover. Ranging from the structure of network- technologies, and then proceed to the WAN
ing frameworks, to network topologies, to net- devices and technologies.
work devices to security practices, there is a . After you lay the foundation of understanding
wide playing field to cover. the fundamental networking concepts, proceed
. The best way to approach the subject is to to the more complex security discussions. Start
focus on the individual sections instead of try- easy and look at the security theory and prac-
ing to understand the entire domain at one tices before you proceed to the more specific
time. Break the domain into logical groupings of security threats and countermeasures.
topics. I like to start with the OSI model . Above all else though, remember to take small
because it provides the foundation for network- steps. “Grasshopper, first you must take the
ing in the first place. stone, and then you can go.” Keep this philoso-
. Use the layered approach of the OSI model to phy in mind. Master a concept before you
focus on the specific technologies and con- attempt to proceed to the next one.
cepts. Start with layer-1 concepts like network
cabling and physical design. Move up to net-
work functions at layer 2. Proceed to layer-3
concepts, and so on.
04 078972801x CH02 10/21/02 3:43 PM Page 67
INTRODUCTION
This chapter explores the devices and technologies that constitute
and define networks. We start with an examination of the Open
Systems Interconnection (OSI) model and how it facilitates network
communications. We then look at the network characteristics and
topologies, including local area network and wide area network
devices, services, and protocols. We will also define what a firewall is
and is not, and look at methods of providing remote access to inter-
nal resources. After we have defined the things that constitute a net-
work, we will start looking at methods of protecting the data and
resources that run on our networks. We will finish with a look at
fault tolerance and data redundancy.
As mentioned, the Telecommunications and Network Security
domain is a very broad topic to discuss. This chapter has been bro-
ken down into numerous sections to make it easier to understand all
the components of this domain and how they fit together.
04 078972801x CH02 10/21/02 3:43 PM Page 68
It’s important to understand that OSI does not define how to per-
form requisite tasks at each layer. This responsibility is left up to the Application
individual vendors and the respective protocols. The OSI model
simply defines what the expectations of each layer are, leaving the Presentation
vendors and protocols to determine the best way to meet that expec-
tation. As discussed, the OSI model is separated into seven distinct Session
layers, as shown in Figure 2.1. Each layer has a core set of tasks and
functions that it is responsible for providing. These layers are as Transport
follows:
Network
á Application layer (Layer 7)—Primarily responsible for inter-
facing with the user. This is the application interface that the
Datalink
user experiences.
á Presentation layer (Layer 6)—Primarily responsible for trans- Physical
lating the data from something the user expects to something
the network expects.
FIGURE 2.1
á Session layer (Layer 5)—Primarily responsible for dialog The OSI model.
control between systems and applications.
á Transport layer (Layer 4)—Primarily responsible for handling
end-to-end data transport services.
á Network layer (Layer 3)—Primarily responsible for logical
addressing.
á Data Link layer (Layer 2)—Primarily responsible for physical
addressing.
á Physical layer (Layer 1)—Primarily responsible for physical
delivery and specifications.
04 078972801x CH02 10/21/02 3:43 PM Page 72
Application Layer
The Application layer is primarily responsible for providing the user
access to network resources via the use of network-aware applica-
tions. The Application layer handles identifying and establishing that
network resources are available. It is important to note that not
every application—for example, word processing applications—is
defined at the Application layer. Word processors do not have
native networking functions, and thus are not network aware. On
the other hand, World Wide Web (WWW) applications—for exam-
ple, Web browsers—are network aware and thus are defined as
Application layer entities. Some other examples of Application layer
entities are
á Email gateways—Using Post Office Protocol (POP3), Simple
Mail Transfer Protocol (SMTP), or X.400, email gateways
deliver messages between applications.
á Newsgroup and Internet Relay Chat (IRC) programs—
Using Network News Transfer Protocol (NNTP) and IRC,
these applications provide for communications between hosts
by allowing for either the posting of messages to a news server
or the typing of a live conversation between chat clients.
á Database applications—Providing data storage and ware-
housing capabilities in central data repositories that can be
accessed, managed, and updated.
á WWW applications—Providing access to Web resources,
WWW applications include client Web browsers and Web
servers.
04 078972801x CH02 10/21/02 3:43 PM Page 73
Presentation Layer
The Presentation layer is often referred to as the “translator” of the
network, similar to EBCDIC (Extended Binary-Coded Decimal
Interchange Mode) and ASCII (American Standard Code for
Information Interchange). As the name would imply, the primary
purpose of the Presentation layer is to take data that is in a format
the user understands and translate it into something that the net-
work understands, and vice versa. In other words, it is presenting the
data in the format that the next layer needs. The Presentation layer
also handles encryption and protocol conversion functions.
Numerous protocols reside at the Presentation layer:
á Graphics formats—Formats such as Joint Photographic
Experts Group (JPEG), Tag Image File Format (TIFF),
Graphics Interchange Format (GIF), and Bitmap (BMP) han-
dle the presentation and display of graphic images.
á Sound and movie formats—Formats such as QuickTime,
Moving Picture Experts Group (MPEG), Windows Media File
(WMF), Digital Video Express (DIVX), and RealAudio
(movie) and Windows Audio Volume (WAV), Musical
Instrument Digital Interface (MIDI), and Moving Pictures
Experts Group Layer-3 Audio (MP3) (sound) provide for
translating and presenting sound and video files.
á Network redirectors—Some of the most overlooked protocols
that function at the Presentation layer are the network redirec-
tors, handling the protocol conversions from your network-
based formats—that is, Server Message Block (SMB) and
Netware Core Protocol (NCP)—and the end user applications
themselves.
Session Layer
The Session layer is responsible for setting up the logical
communications channels between network hosts and applications.
Each time two systems communicate, they establish a “session” that
allows the hosts to differentiate between hosts and applications.
The reason for this is simple—most hosts run multiple applications
and are communicating between multiple hosts at the same time.
04 078972801x CH02 10/21/02 3:43 PM Page 74
Transport Layer
The Transport layer is primarily responsible for handling the
end-to-end communications between host systems. One of the ways
this occurs is via a process known as segmentation and reassembly.
The Transport layer takes the data received from the upper layer
protocols and breaks it into segments that are sized in accordance
with the maximum segment size of the network in question. Because
the data segments may arrive at the destination out of order, these
segments are labeled so that the receiving system knows how to put
them back together to re-create the appropriate upper-layer data.
This logical communications between hosts is sometimes referred to
as virtual circuits. Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP) are two protocols that reside at the
Transport layer. They will be discussed in more detail during the
discussion of TCP/IP.
04 078972801x CH02 10/21/02 3:43 PM Page 75
Network Layer
The Network layer is primarily responsible for the logical addressing
of packets and the routing of data between networks. All hosts in a
network are either local or remote. Local hosts are defined as those
that can receive the physical signal that the source host transmits. In
order to do this, hosts must share the same piece of wire. However,
not all hosts do this. Sometimes the source host and destination host
are in physically different locations or on physically different net-
works. These hosts are known as remote hosts because they cannot
receive the physical signal that the source host transmits. To address
this issue, and still allow the hosts to communicate, the Network
layer uses logical addresses to logically define hosts so that they can
be located regardless of physical location. This process of transmit-
ting data regardless of physical location is known as routing. The
Network layer also handles the translating of physical addresses to
logical addresses. Segments that are received from the Transport layer
are encapsulated within a Network layer header to become packets.
Some of the protocols that reside at this layer include the following:
á Internet Protocol (IP)—There are some who would contend
NOTE
that IP is the Network layer. IP handles the logical addressing The Role of Routers and Layer-3
of hosts and the routing of data via a hierarchal addressing Switches at the Network Layer
scheme. The benefits of a hierarchal addressing scheme are one Routers and layer-3 switches are
Network layer devices. They are
of scaling, in that it can handle many more addresses than a
considered Network layer devices
flat system. In addition, it is much easier to enable routing
because of the special capabilities,
because multiple networks can be grouped together and treat- namely the routing of packets, that
ed as single entries in the routing table making routing much they perform. Because routers and
more efficient. In fact, it would probably be impossible to layer-3 switches know the difference
route on a global scale with a flat addressing system. IP is between networks, they can be used
defined in RFC 791. to separate broadcast domains. This
simply means that routers will not
á Internet Packet Exchange (IPX)—Used primarily on
forward broadcasts from one network
Novell-based networks, IPX provides for the logical addressing to another network by default.
of hosts via network and host addresses.
When the Data Link layer protocols receive packets from the
NOTE
The Effects of Broadcasts and Network layer, they are encapsulated with datalink header and footer
Collisions Broadcasts and collisions information to become frames. The Data Link layer also ensures the
can greatly degrade network perfor-
mance. Broadcasts are defined as data
error-free delivery of data by using a CRC (Cyclic Redundancy
that is addressed for all hosts, regard- Check) in the frame footer. This is simply a calculation of the size of
less as to whether the destination can the frame prior to transmitting. The Data Link layer uses the hard-
actually do anything with the data. Every ware address to identify the source and destination devices. When
host must process the broadcast, at the destination host receives the frame, it performs the check again
least until it determines that the data is
to make sure that the value that the source host came up with in the
not for it. As a result, broadcasts can
degrade performance by hampering a frame footer is the same value that the destination just calculated. If
device’s capability to transmit data it is not, the destination knows that the data sent was in error and
because it is busy processing broad- discards it. The following protocols are among those used at the
cast traffic. A common misconception is Data Link layer:
that broadcasts are more traffic than
unicasts (packets that are destined for á Institute of Electrical and Electronics Engineers (IEEE)
a specific host). This is simply not true. 802.2—Sometimes called the LLC sublayer, this protocol
Similar to the question of “What weighs defines the interface between the Network layer and the
more, 1,000 pounds of lead or 1,000
underlying network architecture. It also provides the flow con-
pounds of feathers,” a 1,000-byte
broadcast is no more or less traffic trol and sequencing of control bits.
than a 1,000 byte unicast. The problem á IEEE 802.3—Sometimes called the Media Access Control
lies in the amount of devices that must
process the data, thus preventing them
(MAC) sublayer, this protocol defines how the packets are
from performing other tasks. All the transmitted on the media. This is the point at which encapsu-
devices that receive the same broad- lation of packets to frames occurs. It also provides the error
casts are known as being in the same checking and ordered delivery of frames.
broadcast domain. To optimize network
performance, you can use routers to Switches and bridges are datalink-layer devices. They are considered
separate broadcast domains. In doing
so, you will reduce the number of sys-
Data Link layer devices because of the special capabilities, namely
tems that have to deal with any given the ability to identify the physical location of hosts, that they per-
broadcast, thus increasing overall per- form. As a result, switches and bridges can be used to segment a net-
formance. work while still enabling hosts to physically communicate. This
Collisions occur as a result of multiple reduces collisions by separating collision domains.
devices sharing a single segment of
cable. The cable can carry only a single
signal at a time. The more devices that Physical Layer
are on a segment, the greater the The Physical layer is primarily responsible for sending and receiving
likelihood that two devices attempt to
data. The data is transmitted as bits—1s and 0s. The Physical layer
communicate at the same time—thus
causing a collision. Collisions degrade also handles the specifications for the electrical, mechanical, and pro-
performance by causing devices to cedural components of the communications media. The Physical
retransmit data until they are successful. layer also identifies the DTE (Data Terminal Equipment) and the
DCE (Data Circuit-Terminating Equipment) used in physical sig-
continues
naling and transmitting and receiving of data.
04 078972801x CH02 10/21/02 3:43 PM Page 77
R E V I E W B R E A K
OSI Summary
The OSI model provides a logical blueprint that can be used to
understand how networking communications takes place. The OSI
model is separated into seven layers. Each layer is responsible for
specific tasks and functions, and for interfacing with the layer above
and below itself. This modular design provides for the ability to
change functions within any given layer without impacting the
function of any other layers.
As data is passed down the layers of the OSI model, the data is
encapsulated by the lower layer becoming segments at layer 4, pack-
NOTE
continued
ets at layer 3, frames at layer 2, and finally bits at layer 1 which are
The devices that are capable of having
ready to be transmitted. When the destination receives the bits it their signals collide with each other are
simply reverses the process, unencapsulating the frames, then the known as being members of the same
packets, then the segments, eventually presenting the original data collision domain. To optimize perfor-
to the application that needs it. mance, you can use switches to create
collision domains. In doing so, you will
Figure 2.2 illustrates the encapsulation process as it relates to the OSI reduce (and potentially eliminate) the
model. Upper-layer data is received from the host and processed by likelihood of a collision occurring, thus
the top three layers of the OSI model. At the Transport layer the ensuring that the hosts need to trans-
upper-layer data is encapsulated with a Transport layer header and mit data only once, increasing overall
performance.
becomes known as a segment. The segment header contains informa-
tion such as the application ports that are in use. The segment is
passed down to the Network layer, where it is encapsulated with
Network-layer header information and becomes known as a packet.
The packet header contains information such as the transport protocol
that was in use, as well as the logical source and destination addresses.
The packet is passed down to the Data Link layer, where it is encapsu-
lated with data link header and footer information to frame the pack-
et. At this point, the data is known as a frame. The data link frame
header contains information such as the Network layer protocol that is
in use, as well as the physical source and destination addresses. Finally,
the frame is turned into bits, which are then transmitted across the
wire.
04 078972801x CH02 10/21/02 3:43 PM Page 78
Application
Presentation
After the destination receives the bits, it is able to rebuild the frame
and process the data link header and footer to determine to which
Network layer protocol to pass the data up. At the Network and
Transport layers, this process is repeated using the appropriate head-
er information, until the data can be delivered to the appropriate
application. The encapsulation process allows the destination host to
know what to do next with the data it is receiving and processing.
By understanding the OSI model, and understanding the layer at
which specific protocols function, a security professional can under-
stand the impact and function these protocols will have on their
security design. The OSI model is like a dictionary that provides the
words and language that the networks of today speak.
IN THE FIELD
Coax
Thin coax networks, also called thin-net or 10BASE-2, use coaxial
cabling with T-connectors to connect to the Network Interface
Cards (NICs). Thick coax networks, also called thick-net or
10BASE-5, use coaxial cabling with vampire taps and AUI
transceivers to connect to the NICs.
04 078972801x CH02 10/21/02 3:43 PM Page 80
10BASE-2 Specifications
The maximum number of nodes per segment (between repeaters) on
a 10BASE-2 segment is 30. The maximum length of a segment is
185 meters. You can actually determine the maximum cable length
by the name 10BASE-2. 10 stands for 10 Mbps. BASE stands for
baseband. 2 stands for 200 meters (okay, so it is a little short).
10BASE-2 adheres to the 5-4-3 rule. This simply means that you
can have a maximum of five segments connected via four repeaters
but only three segments can have hosts on them. The two segments
that cannot support hosts are called Inter-repeater Links (IRL).
04 078972801x CH02 10/21/02 3:43 PM Page 81
BNC cable connector BNC barrel connector BNC T connector FIGURE 2.3
10BASE-2 connectors.
10BASE-5 Specifications
10BASE-5 uses a Vampire tap and a transceiver to connect to PCs
and other network devices. The Vampire tap works by surrounding
the cable, opening up the outer jacket shielding, drilling a hole to
the conductor, and using a center probe to provide conductivity.
10BASE-5 supports a maximum of 100 taps. The transceiver pro-
vides for the connectivity to devices via Attachment Unit Interface
(AUI) connections (DB15). 10BASE-5 supports a maximum of 1024
hosts per segment. The maximum segment length for 10BASE-5 is
500m. 10BASE-5 adheres to the “5-4-3” rule. This simply means
that you can have a maximum of five segments connected via four
repeaters but only three segments can have hosts on them. The two
segments that cannot support hosts are called inter-repeater links
(IRL). 10BASE-5 uses barrels and terminators, similar to 10BASE-2,
but instead of BNC connectors it uses N-Type connectors. Figure 2.4
illustrates some of the common 10BASE-5 connectors.
FIGURE 2.4
10BASE-5 connectors.
Plug Style N-Type Jack Style N-Type Plug Style N-Type Jack Style N-Type
Connector Barrel Terminator Terminator
04 078972801x CH02 10/21/02 3:43 PM Page 82
TABLE 2.1
UTP C A B L E C AT E G O R I E S AND SPEEDS
Category Speed Rating
Category 3 Rated for voice and data up to 10Mbps/16MHz
Category 4 Rated for voice and data up to 16Mbps/20MHz
Category 5 Rated for voice and data up to 100Mbps/100MHz
Category 5e Rated for voice and data up to 1000Mbps/100MHz
Category 6 Rated for voice and data up to 1000Mbps/250MHz
IN THE FIELD
Many vendors are offering cables that are better than IEEE’s CAT5.
These are sometimes advertised as “Category 5 Enhanced or
CAT5E, Proposed Category 6.” CAT5 is all you’ll need for 100Mbps
Ethernet speeds, but if you want Gigabit Ethernet capabilities over
copper in the future, consider cabling such as CAT5E or CAT6 that
can handle 350MHZ or better.
FIGURE 2.5
UTP connectors.
UTP Specifications
10BASE-T is also commonly referred to as unshielded twisted pair
(UTP) cabling. This is simply because the cable has no shielding,
and the four pairs of conductors twist around each other inside the
cable jacket. Because there is no shielding, UTP is very susceptible
to electromagnetic interference (EMI) such as the EMI given off by
fluorescent lights. As a result, UTP should not be used near such
EMI sources. UTP is also very easy for a malicious user to capture
the data being transmitted without ever needing to tap into the
cable. Instead, such a user can run a tool that will capture the
electric signal being produced, and read the data that way.
UTP has a maximum cable length of 100 meters and a maximum of
four repeaters between end stations. Hubs act as repeaters. There can
be a maximum of 1024 stations per network.
04 078972801x CH02 10/21/02 3:43 PM Page 84
Troubleshooting UTP
Troubleshooting UTP is much easier than troubleshooting coax.
This is one of many reasons why UTP has displaced coax as the net-
work cabling of choice. Because UTP only supports two devices on a
cable (that is, a computer and a hub or switch), when a cable failure
occurs it is generally easy to pinpoint. As you will see in cable plant
design in the next section, much of UTP troubleshooting is simply
tracing the cable back to the source. Using a TDR with coax can
assist this, but generally it takes longer to set the TDR up than it
does to just follow the cable back. Some common culprits with
UTP problems are using incorrect patch cables and incorrectly
crimping/punching down the cable (discussed more in the next
section). Generally however, if you have a link light with UTP the
problem is somewhere else.
Fiber Optic
Fiber-optic cable is predominately used for backbone and device
interconnectivity as opposed to end user connectivity. There are a
couple of reasons for this. First, fiber is much more expensive than
UTP or coax. Additionally, because fiber-optic cable is made of
glass, it is much more fragile than the alternatives. Let’s face it—we
all know what our users’ work environments look like. Fiber doesn’t
stand a chance! That’s okay though, because fiber has a role to which
it is much better suited—device interconnectivity on the backbone.
Fiber has now replaced 10BASE-5 as the predominant backbone
device interconnectivity method. This is due to the speed and dis-
tance at which fiber optics can transmit.
A coating (also called a buffer) surrounds the cladding. In a tight Fiber Structure
buffer construction, the buffer is directly on the fiber. In a loose
buffer construction, there is a layer of gel between the buffer and the
fiber. This constitutes a single strand or piece of fiber. Figure 2.6
illustrates the components of a piece of fiber cable.
The individual fiber strands are then typically bundled in pairs, or
Cone Cladding Buffer
multiple pairs, because each fiber can only send a signal in a single
direction. A reinforcing layer of plastic (the outer jacket) is placed FIGURE 2.6
around the individual strands. The strands are also wrapped in Fiber cable components.
Kevlar to provide both strength as well as flexibility to the actual
fiber strands further reinforcing the fiber-optic cable.
One-pair fiber cable, which is typically used in patch cord imple-
mentations, is generally called simplex or zipcord. Multi-pair fiber
cable that is double buffered (tight buffer with outer jacket) is gener-
ally referred to as distribution cable. Distribution cable does not rein-
force the fibers, and thus to terminate the cable one needs to use a
breakout box. A breakout cable is made of several simplex/zipcord
cable bundles and is generally more rugged because the fiber can be
terminated like zipcord (because it effectively is just a bundle of zip-
cord). Loose tube cables are composed of several fibers together in a
plastic tube. The tubes are then wound around a central strength
member and jacketed providing a high fiber count (in the 100s).
The tubes are filled with gel to prevent harm and protect the buffer,
which is very thin. While this cable must be handled carefully, it is
well suited for outdoor and very large backbone (that is, service
provider) implementations.
Breakout kits are used for terminating fiber in a loose buffer tubes.
In a loose buffer tube construction, the fiber is contained in a gel-
filled polymer tube that has an inner diameter larger than the fiber
itself. This provides a high level of isolation for the fiber from exter-
nal mechanical forces. A loose buffer is used in outdoor applications
and can accommodate the changes in external conditions (that is,
contraction in cold weather and elongation in warm weather).
04 078972801x CH02 10/21/02 3:43 PM Page 86
Multi-Mode Fiber
There are two main types of fiber-optic cable, multi-mode and
single-mode. Multi-mode fiber is mainly used for short or medium
distances and for low bandwidth applications. The actual fiber sizes
used (core/cladding) are
á 50/125 µm
á 62.5/125 µm (most common)
á 100/140 µm
Single-Mode Fiber
Single-mode fiber is designed for the transmission of a single ray, or
mode, of light as a carrier and is used for long-distance communica-
tions. Because there is only one ray of light, a smaller core can be
used for single mode fiber. The actual fiber sizes used (core/
cladding) are
á 8/125 µm
á 9/125 µm
á 10/125 µm
Fusion splices use a welding process to fuse the fiber to the connec-
tor (or to other pieces of fiber). This provides a stronger and lower-
loss connection. Mechanical splices use an alignment fixture to mate
the fibers and then you either polish the end of the fiber (very hard
to do and time consuming) or use a matching gel or epoxy (more
common) to minimize the reflection.
Wireless
Wireless is finding its way into more and more networks for a very
simple reason—because there are no wires, the devices can be locat-
ed anywhere that they can receive a signal. A big push for wireless
has been with the small office/home office (SOHO) users, because
many houses were not designed with network cabling in mind.
04 078972801x CH02 10/21/02 3:43 PM Page 88
By simply using a wireless network, the user can place the computer
(or multiple computers) anywhere in their home and still have net-
work access. In corporate environments wireless is often used in
executive and campus environments. This allows executives to travel
anywhere on the executive floor and still be able to access the net-
work without needing to reconfigure or recable anything. Another
increasingly popular deployment of wireless has been with Point of
Sale (PoS) systems. Rather than running cabling to all of the systems
handling the sales transactions, they simply run wireless.
There are a few rather substantial drawbacks to wireless at this time.
The first is the lack of standardization, or more appropriately the
fact that there are numerous incompatible and competing standards
being employed. From 802.11 Wi-Fi to 802.11a to 802.11b to
802.11g to 802.15 Bluetooth, wireless standards definitely live by
the “the greatest thing about standards is there are so many to
choose from” adage. The thing to remember is to make sure that all
of the equipment you select supports the same standard.
The other problem with wireless is one of security. In the same way
that anyone can tune a radio to receive certain radio stations, people
can connect to a wireless network by simply running the appropriate
equipment and being within a certain range. This makes it easy for
malicious users to compromise a system, and in fact fairly recently a
certain chain of stores found itself in a bit of a problem when it was
discovered that its PoS systems ran wireless with no security, so any-
one sitting in the parking lot with a wireless card and a laptop could
potentially be capturing credit card transactions. Another drawback
is that interference can severely limit distances that wireless networks
cover.
The lesson to be learned here is to secure your wireless environment
using authentication and encryption. The authentication ensures
that only authenticated devices can connect to the network and the
encryption will ensure that even if intruders can capture the signal,
they must decrypt it to gain any data of value.
04 078972801x CH02 10/21/02 3:43 PM Page 89
NETWORK TOPOLOGIES
Virtually all networks use one of the following topologies:
á Linear bus
á Star
á Ring
á Tree
á Mesh
FIGURE 2.7
Linear bus topology.
04 078972801x CH02 10/21/02 3:43 PM Page 90
Physically, the signal is sent to all devices connected to the linear bus
segment. On the surface, this may sound like the signal is a broad-
cast, but that is not the case. Instead, this is simply a matter of elec-
tronics and electricity. If I take a lamp cord and cut the jacket off
the cable, this exposes the conductor. If I then have a bunch of peo-
ple grab a hold of the cable and plug it into the wall, they are all
going to get shocked. A linear bus works in the same fashion. When
the devices are connected to the bus, they all share a common con-
ductor, which means that when an electric signal is put on the wire
(for example, during data transmission) all the devices connected to
the segment are going to get the electric signal. This does not mean
that all the systems actually process the data. We talk about this
more when we look at Ethernet and switches.
Another thing to understand is that only one signal can exist on the
segment at a time, which means that only one device can transmit at
a time. As a result, the more devices that you connect to a linear bus,
the worse the performance degradation will become. This is known
as contention, which simply means that the devices are in contention
for the same segment to transmit. A linear bus is also known as a pas-
sive technology because the devices on the segment do not move the
data from one device to the next; rather the signal is generated at the
source and all other devices passively receive the signal.
As the signal is put on the wire and begins to move away from the
source, it encounters the problem of signal bounce. After the signal
hits the end of the cable, the signal bounces back and continues to
travel back and forth, effectively preventing any other systems
from being able to communicate. In order to address this, a linear
bus uses terminators at the ends of the bus to absorb, and thus
terminate, the signal. The logic behind this is really quite simple.
04 078972801x CH02 10/21/02 3:43 PM Page 91
By the time the signal has reached the terminator, every other device
on the bus should have been able to receive the signal and either
process or discard the data accordingly.
One of the problems with a linear bus has to do with termination. If
any part of the bus is not properly terminated, the entire bus will
cease to function properly. From a security perspective, this means
that someone can take out all of the devices on the bus by simply
removing the termination (for example, by cutting the cable). Linear
bus is very susceptible to cable faults as a single point of failure.
Star Topology
Unlike coax, the topology method in a 10BASE-T network is a star
because all devices must have a segment of wire connecting them to
an active hub or switch before being capable of communicating with
other devices on the LAN. In other words, each computer effectively
has its own piece of cable with the computer on one end and the
network device on the other. Figure 2.8 illustrates a star topology
with all the computers connected to a central hub/switch.
FIGURE 2.8
Star topology.
04 078972801x CH02 10/21/02 3:43 PM Page 92
The benefit of this type of system is when there is a cable fault only
the device on that cable is affected, unlike coax where all devices on
the segment are affected. Logically, however, a 10BASE-T network
still operates as a bus. So although each computer is on a different
physical cable, all the computers are logically connected as a linear
bus due to the hub/switch.
Star topologies are also used to implement what is known as a
collapsed backbone. In a traditional network, the backbone of the
network consisted of cabling running between multiple network
connectivity devices (often in a linear bus fashion). The collapsed
backbone replaces this by having the network devices connected to
a single device that actually provides the backbone connectivity.
Because a collapsed backbone requires less cabling, it is considered
cheaper and easier to maintain than traditional backbones.
The network is not affected by individual cable faults because the
hub/switch will short the port on which a cable fault occurs, effective-
ly closing the linear bus and allowing the other devices on the network
to continue functioning. However, because the hub/switch is the cen-
ter of the star, it becomes a single point of failure, because if it stops
functioning the devices can no longer communicate with each other.
The star topology has become the most used network topology today.
Ring Topology
The ring topology is designed using a loop of cable to interconnect
the devices. The signal is transmitted in a single direction around the
loop, with each device retransmitting the signal as they receive it.
The ring topology is considered an active topology, unlike the linear
bus, because of this. One of the drawbacks of this type of system is
that if any system stops passing the signal, or starts generating bad
signals, it can take the entire ring out. Figure 2.9 illustrates the
design of a ring topology.
04 078972801x CH02 10/21/02 3:43 PM Page 93
FIGURE 2.9
Ring topology.
Tree Topology
The tree topology is based in part on the bus and the star topology.
In the tree topology devices are interconnected to each other via bus
connections; however, there are multiple nodes supported on each
potential branch, as shown in Figure 2.10.
FIGURE 2.10
Tree topology.
Mesh Topology
The mesh topology (sometimes called the mess topology) ensures
that every node on a network is connected to every other node.
04 078972801x CH02 10/21/02 3:43 PM Page 94
Ethernet
NOTE
802 Standards on the Web The
Ethernet is the single most predominant technology in use today. IEEE recently made the entire 802
With speeds ranging from 10Mbps to 10Gbps, Ethernet possesses standards documentation available for
awesome speed and scaling capabilities. Today, most Ethernet is free online. You can now download
physically cabled as a star topology, but remember that logically it the standards from http://
standards.ieee.org/getieee802/
still functions as if it were a linear bus. This means that all Ethernet
portfolio.html?agree=ACCEPT.
devices expect communication to occur as if they were connected to
Although reading standards is not
the same physical cable segment.
exactly the most pleasurable reading
Ethernet is specified in the IEEE 802.3 specification as a Carrier experience, there is no substitute if
Sense, Multiple Access/Collision Detection (CSMA/CD) you truly want to know how things
methodology. work.
LAN DEVICES
Now that we have seen the theory and architecture with which LAN
networks are built, as well as the physical interconnection methods
and networking types, we need to take a look at the components
and technologies that make up a network.
Today’s networks are primarily made up of five categories or types of
devices. Each type of device has unique capabilities, functionalities,
and vulnerabilities that as a security professional, you must be
aware of.
VLANs
VLANs are the creation of logically segmented networks within a
single switch, or within a single switch fabric. A switch fabric is a
group of switches that are physically connected to each other.
04 078972801x CH02 10/21/02 3:43 PM Page 102
Subnet A Subnet C
Member of all 4
VLANs and
Subnet
NOTE
there is a drawback. Because the VLAN is logical, and the ports Using Switches As a Security
from both VLANs are often on the same switch or switch fabric, it Mechanism Port-based security is
is possible for data to physically transfer from one VLAN to another used particularly in environments that
are extremely security conscious. With
VLAN, even though it normally shouldn’t. There have been numer-
port-based security the administrator
ous exploits, particularly with buffer overruns, that allow packets to
configures the switch to only allow a
traverse VLANs without being routed. As a result, it is generally not specified MAC (media access control)
recommended to use VLANs when segmenting internal and exter- address to be allowed to connect.
nally accessible networks (for example, when using a VLAN to While this can provide significant
separate a screened subnet and the internal network). security to a network, it also has the
potential to require a tremendous
amount of overhead. Any time that
computers move or the NIC is
Routers changed, the administrator has to
Routers continue to build on the technologies that we have previ- update the switch accordingly.
ously discussed. Routers function at the Network layer, and are often
referred to as a layer-3 device. You may have heard of layer-3 switch-
es as well. A layer-3 switch is simply a hybrid device that combines
layer-2 and layer-3 functionality, allowing the switch to forward
frames when possible and route packets when needed. Because
switching occurs at layer 2, it is faster than routing. As you would
expect, layer-3 switches are particularly suited for VLAN
environments.
Routers are able to further optimize network traffic by utilizing the
logical addressing information available from the Network layer.
Routers are considered “network aware” which means that routers
can differentiate between different networks. Routers use this infor-
mation to build routing tables, which are tables that list the
following basic information:
á All the networks the router knows about
á The remote router to use to connect to those networks
á The paths, or routes, to the networks
á The cost, or metric, of sending data over the paths
Routers are also used to segment large networks into smaller ones, as
well as to reduce broadcasts on a network. Routers recognize that
most broadcasts are specific to the network that they originated, so
instead of forwarding the broadcast as a hub or switch does, the
router will stop the broadcast.
Because routers function higher in the OSI model than switches,
they are also able to provide better traffic management and security
capabilities than switches or hubs can. Routers are able to examine
logical addresses as well as the layer-3 header information to deter-
mine what application ports are being used and use this information
for traffic filtering and blocking purposes.
Firewalls
Firewalls have achieved a status as a panacea of sorts, a generic cure
all for a company’s security woes. Unfortunately, firewalls—while
still a great security measure—are not the be-all and end-all that
some would have you believe. Instead, firewalls should be considered
but a single component of a comprehensive security design.
Firewalls are designed to prevent traffic that is not authorized from
entering or leaving a network. They are typically deployed as a
perimeter security mechanism to screen Internet traffic that is
attempting to enter the network. There are six main types of
firewalls, sometimes referred to as “generations”:
á Packet filtering—Packet-filtering firewalls are very similar in
use and function to routers. In fact, many routers include pack-
et-filtering capabilities. Packet filtering firewalls function by
comparing received traffic against a rules set that defines what
traffic is permitted and what traffic is denied. This is typically
performed by using IP addresses and/or port numbers to iden-
tify permitted and denied traffic. If the received packet matches
the permitted traffic list, it is allowed to proceed. If it does not,
the firewall discards the packet. Packet-filtering firewalls
generally operate faster than other firewall types because they
often do not need to read more than the layer-3 or layer-4
information in a packet before making a filtering decision.
Packet-filtering firewalls are considered to be first-generation
firewalls.
04 078972801x CH02 10/21/02 3:43 PM Page 105
FIGURE 2.13
Packet-filtering firewall.
External/Untrusted Internal/Trusted
Network Network
External
Firewall
External/Untrusted Internal/Trusted
Network Network
External
Firewall
External/Untrusted Internal/Trusted
Network Network
External Screen Internal
Firewall Subnet/DMZ Firewall
Perimeter Network
External/Untrusted Internal/Trusted
Network Network
External
Firewall
04 078972801x CH02 10/21/02 3:43 PM Page 110
Much like firewall types, there are variations and hybrid designs of
NOTE
The Testing and Verification of firewall architectures, but they are all based in part on these for prin-
Firewall Systems TruSecure main- cipal designs. An example of this would be a SOCKS server, which
tains an independent firewall testing is often used to provide proxy based outbound access for clients run-
criteria and a number of excellent
ning SOCKS client software. While this can do a great job of secur-
FAQs and whitepapers that can pro-
ing access to resources, it has some significant drawbacks in terms of
vide more detailed information about
firewalls. They can be accessed at
IT support due to the requirement of the SOCKS client on every
http://www.icsalabs.com/html/
desktop.
communities/firewalls/index.shtml.
WAN TECHNOLOGIES
Whereas LAN technologies tend to focus on connecting a large
number of systems that are in close proximity to each other to a very
fast network, WAN technologies tend to focus on interconnecting
LANs and making connections to remote sites and resources. There
are three main categories of WAN networks:
04 078972801x CH02 10/21/02 3:43 PM Page 111
Dedicated Connections
Dedicated WAN connections exist between two point-to-point sites
and generally are available at all times. Once the circuit is paid for,
the connection exists around the clock exclusively for the traffic the
customer is generating. These connections tend to be synchronous
serial connections, which simply means that the communication
between sites occurs with precision clocking and control bits that
specify the beginning and end of transmission characters. The classic
example of a synchronous serial connection is a T1 (or E1 in Europe).
04 078972801x CH02 10/21/02 3:43 PM Page 112
Circuit-Switched Connections
Circuit-switched connections are based on the classic telephone net-
work. When two devices need to communicate between each other,
the data network they are using will dynamically bring up the cir-
cuits (or connections) that the two devices require in order to
exchange data. These circuits are maintained for the duration of the
call, which could lead to inefficient use of network resources. For
example, if the connection were always left open, it would prevent
other connections from being made. Circuit-switched networks tend
to use asynchronous serial connections, which simply means that
there is no timing of the data stream. Circuit-switched connections
tend to use dialup modems and ISDN, and thus are typically used
for low bandwidth or backup purposes. Because the connection is
established essentially by dialing the destination, provided authenti-
cation occurs to allow the connection, circuit-switched is considered
a fairly secure connection.
Packet-Switched Connections
Like dedicated connections, packet-switched connections use a syn-
chronous serial method of communications. Where packet switching
differs is that the packet-switched network is often shared by multi-
ple systems. The reason for this is simple. Often, a company does
not need a dedicated connection between sites with dedicated band-
width. The cost of maintaining such a connection can be very
expensive and by going with packet-switched the company can
effectively “time share” the WAN connection. They do this by pur-
chasing a guaranteed amount of bandwidth, for example 128Kbps.
Because lots of WAN traffic is small, bursty traffic, the company can
have the performance that it needs, but save costs by allowing the
underlying circuits to be shared among multiple companies and net-
works, effectively operating kind of like a party line. No matter
what, the company will get the minimum bandwidth it purchased
(often times called the CIR (Committed Information Rate), but if
more bandwidth is available, the company is able to use it. The
classic packet-switched network is frame relay or X.25 with speeds
generally ranging from 56Kbps to 2.048Mbps. While not as secure
as a dedicated or circuit-switched network, packet-switched net-
works are still considered a fairly secure WAN medium.
04 078972801x CH02 10/21/02 3:43 PM Page 114
Cell-Switched Connections
Cell-switched networks are similar to packet-switched networks, with
one important difference—cell-switched networks are ATM
(Asynchronous Transfer Mode) networks. ATM is a networking stan-
dard that uses fixed length 53-byte cells in the transmission of multi-
ple services, such as voice, video, and data. Because of the fixed
length cell size, transit delays are reduced because the equipment can
be configured to programmatically be prepared for data transmission
and receipt. ATM is designed for use on high speed media, for exam-
ple SONET, T3, and E3 with speed capabilities well into the Gbps
capacity. In fact, ATM has no theoretical top speed, but rather relies
on the underlying media to establish the rate of transmission. Like
packet-switched, ATM is considered a fairly secure WAN technology.
WAN Services
Whereas most LAN connections are based on either Ethernet or
Token-Ring, a number of different WAN services provide for WAN
connectivity in an internetwork. The following sections discuss these.
X.25
X.25 is a WAN connection technique that functions at the physical
and Data Link layers of the OSI model. X.25 uses virtual circuits for
establishing the communications channel between hosts. A very reli-
able protocol, X.25 has been replaced in many environments by the
faster Frame Relay.
04 078972801x CH02 10/21/02 3:43 PM Page 116
Frame Relay
Frame relay is one of the most popular WAN connection techniques
due to its reliability and support of multiple protocols. Frame relay
is based on X.25, but it is considered a faster technology because it
leaves error correcting functionality to higher layers. Functioning at
the physical and Data Link layer, frame relay provides the communi-
cation interface between the DTE (Data Terminal Equipment) and
DCE (Data Circuit-Terminating Equipment). Connectivity between
two DTEs is provided via the use of virtual circuits, similar to X.25.
Frame relay uses DLCIs (Data-Link Connection Identifiers) to iden-
tify the end points of communication of a circuit. Frame relay func-
tions at speeds up to 2Mbps and does not use authentication. Like
HDLC, if authentication is required it is recommended to use
something such as PPP instead.
WAN Devices
Now that you have seen the theory and architecture that WAN con-
nections are built with, as well as the physical interconnection meth-
ods and networking types, you need to look at the components and
technologies that enable WAN connectivity. These are
á Routers—Although routers are a LAN device, they are also
used extensively on WANs to provide routing between
subnets.
á WAN switches—WAN switches operate at the Data Link
layer of the OSI model, but that is where their similarity with
LAN switches ends. Typically used on the carrier networks,
WAN switches connect private data over public circuits.
04 078972801x CH02 10/21/02 3:43 PM Page 119
FIGURE 2.17
Client-based dial-in connection.
POTS/Telco
Internal
Network
Client-Based VPNs
Client-based VPNs provide remote access to users. Users runs some
form of VPN client software on their computers, which allows them
to connect to the corporate network as if they were a node on that
network. Unlike site-to-site connections, client-based VPNs rarely
allow for systems other than the one running the client software to
connect with the VPN.
04 078972801x CH02 10/21/02 3:43 PM Page 122
Site-to-Site VPNs
Site-to-site remote access connections have come into use as a mech-
anism for connecting remote sites via the Internet. A site-to-site
VPN is a permanent or semi-permanent connection between two
devices, typically firewalls or routers. Site-to-site connections link up
remote offices across the Internet. Computers on the remote LAN
require no special software to communicate with the network to
which the VPN connects. Rather than paying for an expensive
site-to-site or packet-switched WAN connection for remote access,
companies have begun using the Internet as their WAN connection
with a VPN used to secure the traffic. Although this can provide a
relatively cheap method of connectivity for small remote sites and
home offices, particularly using high-speed broadband technologies
such as DSL (Digital Subscriber Line) and cable modem, you must
remember that the Internet is not a reliable connection. If a reliable
site-to-site remote access connection is required, you really need to
go with a traditional WAN solution. The benefit of the site-to-site
remote access solution is that individual clients on the remote net-
work require no special software or configuration to provide remote
access capabilities. Typically a router or VPN hardware device
handles all client requests, forwarding them to the Internet or to the
remote site as required. This is known as split tunneling. Figure 2.18
illustrates how client-based and host-to-host VPN connections
would be connected.
04 078972801x CH02 10/21/02 3:43 PM Page 123
Site-to-Site
VPN
Client based Client running
VPNs VPN Software
Ethernet Switch/
Client running Internal Network
VPN Software
VPN
Capable
ISP ISP Router or
Access Router Firewall
Server
VPN Tunnels
ISP
ISP Router
Router
VPN Capable
Router or
Firewall
VPN Capable
Ethernet Switch/ Router or
Internal Network Firewall
Ethernet Switch/
Internal Network
VPN Protocols
Three primary technologies are used for providing remote access
VPN capabilities:
á PPTP—PPTP is a Microsoft-developed technology that pro-
vides remote access by encapsulating PPP inside a PPTP pack-
et. PPTP uses the PPP authentication mechanisms of PAP,
CHAP, or MS-CHAP for authentication and RSA RC4 and
40-bit or 128-bit session keys and encryption. PPTP supports
multi-protocol tunneling.
04 078972801x CH02 10/21/02 3:43 PM Page 124
NETWORKING PROTOCOLS
Protocols are simply the rules by which something functions. In the
case of network protocols, these are the rules that control how data
is processed. Protocols often have OSI layer–specific functionality
that they are responsible for. As discussed in the following sections,
there are a number of protocols that a security professional should
be aware of in network environments.
Transmission Control
Protocol/Internet Protocol
Transmission Control Protocol/Internet Protocol (TCP/IP) is the
foundation on which virtually all networking today occurs. TCP/IP
is actually a suite of protocols that was developed by the
Department of Defense to provide a highly reliable and fault toler-
ant communications infrastructure. TCP/IP was designed following
a four-layer architectural model, as opposed to the OSI seven-layer
model as illustrated in Figure 2.19.
Presentation Application
Session
Transport/
Transport
Host to Host
Network Internet
Datalink
Network
Physical
R E V I E W B R E A K
Reviewing TCP and UDP
TCP and UDP provide the mechanism that hosts use to transport
data between hosts across the network. Table 2.2 compares TCP and
UDP, highlighting the key functions of each.
TABLE 2.2
C O M PA R I S O N OF TCP AND UDP
TCP UDP
Acknowledged data transfer Unacknowledged data transfer
Uses sequencing Does not use sequencing
Connection-oriented Connectionless
Reliable Unreliable
In other cases, it may be suitable to use a single server with file per-
missions and security to prevent unauthorized access. Many of these
principles are based on what is known as the Rainbow Series of
books.
In addition to email, you also have the increasing use of online pur-
chasing and bill payment. To protect these transactions, Secure
Electronic Transmission (SET)—a framework for protection against
fraud—was developed to provide a framework for protecting the use
of credit cards used in Internet transactions against fraud. SET uses
a subset of a PKI (Public Key Infrastructure) to provide for the con-
fidentiality and integrity of the cardholder data, while at the same
time providing for the authentication of the card.
With a packet sniffer, the security admin can see the exact format of
frames and packets, which can be useful if you want to block a cer-
tain type of packet format. For example, peer-to-peer file-sharing
utilities—such as Morpheus, KaZaa, and Napster—are a current
bane to many network admins. The problem is that many of these
programs use what would normally be opened application ports for
their communications mechanism (for example, using TCP port 80,
which is typically used for HTTP communications). However, the
data packets have a unique format that does not necessarily match
what normal Web browsing traffic looks like. By running a packet
sniffer and observing the traffic patterns that the software uses, the
security administrator can then configure perimeter security devices
such as firewalls and proxies to drop the specific frames that match
the pattern of the prohibited software. This is sometimes known as
pattern-based application recognition, or what Cisco calls
Content-Based Access Control (CBAC).
When used by a malicious user, a packet sniffer can provide infor-
mation that the user would not otherwise have been able to gain
access to. For example, when I lecture on how to use a packet sniffer,
I will often capture data for about 10 minutes during class.
Normally, at least one of the students is checking email, typically
over an unencrypted Web site. I will then find the packets that were
part of the user’s connection to the Web site and will often read back
part of the email message (with the victim’s permission, of course) to
demonstrate how easy it is for a malicious user to gain access to priv-
ileged information. In another case, I was working on a product that
displayed information via a Web interface. The main Web page used
authentication to validate the user, but the data Web pages did not.
The data Web pages were used to export the data to another soft-
ware program. When I explained that this was a security hole,
because someone could connect to the data URLs unchallenged, I
was told that because the URLs contained a unique object identifier,
it would be virtually impossible to guess the URL. I bet lunch that I
could gain access to this information in no more than 10 minutes,
without needing to guess. I set up a packet sniffer and then proceed-
ed to start the software that the data is exported to. Because it
collected data on a 10-minute cycle, I needed to only wait for the
packet sniffer to capture the URL, object identifier included, and
thus earn a rather nice steak lunch.
04 078972801x CH02 10/21/02 3:43 PM Page 139
Intrusion Detection
Intrusion detection is the process of monitoring systems for evidence
of an intrusion or misuse. You accomplish this by collecting infor-
mation from numerous sources and then analyzing the information
for symptoms of a security compromise. This information can then
be used to alert administrators to determine the relevance and severi-
ty of the incident. It is important to note that intrusion detection is
not intrusion response. Intrusion response occurs after the event has
been properly detected. Intrusion Detection Systems (IDSs) are
responsible for performing the following tasks:
á Monitoring and analyzing user, system, and network access
á Auditing system configurations and vulnerabilities
á Assessing the integrity of system and data files
á Recognizing activity patterns that would seem to indicate an
incident
04 078972801x CH02 10/21/02 3:43 PM Page 140
IDSs have earned a bit of a mystique as being the silver bullet need-
ed to prevent attacks before they become an issue. While the poten-
tial is certainly there, the reality is that the technology is not a
substitute for a human being actively monitoring and managing
network resources. Instead, an IDS is simply another tool in the
well-prepared security professional’s toolbox.
Intrusion Response
Intrusion response is the principle of defining how to respond when
an intrusion is detected. Intrusion response is often defined as part of
the responsibilities of a Computer Incident Response Team (CIRT).
04 078972801x CH02 10/21/02 3:43 PM Page 142
Transparency
Transparency is simply the ability of a device to not appear to exist.
Transparency can be a very effective security mechanism for a simple
reason: How can you exploit something that does not appear to
exist? In normal communications, when a device receives a packet
for a service that is not running, the device notifies the sender that
the service is not available. When a device is configured for trans-
parency, though, rather than responding, “service is not running,”
the device silently drops the packet, often forcing the sender to wait
for a time-out period before it can attempt to connect again.
Because the sender did not receive a response one way or the other,
the sender is unable to determine what, if anything, might exist on
the given IP address. Transparency is often used on firewalls to pre-
vent connections to the external interface other than for services and
addresses specifically advertised.
04 078972801x CH02 10/21/02 3:43 PM Page 145
Hash Totals
Hashing is the process of assigning a value to represent some original
data string. The value is known as the hash total. Hashing provides
an efficient method of checking the validity of data by removing the
need for the systems to compare the actual data, but instead allowing
them to compare the value of the hash, known as the hash total, to
determine if the data is the same or different. The hash value is repre-
sented in a database of some form, which allows for quicker indexing
and searching for the original value. If the hash totals match, the data
is the same. If the hash totals differ, the data is different. One of the
best examples of this is Windows authentication. A common miscon-
ception is that when a user attempts to log on to a system, his user-
name and password are sent to a domain controller for validation.
Actually, the client generates a hash total based on the password the
user enters, and sends that to the domain controller. The domain
controller then checks the hash total against the hash total it has to
represent the password. If they match, the user is allowed to log in. If
they do not match, the user is prompted that he cannot log in.
Because the actual password is never transmitted, there is an addi-
tional degree of security imparted in the transmission.
04 078972801x CH02 10/21/02 3:43 PM Page 146
Email Security
As recent news articles would suggest, the importance of email secu-
rity is becoming more and more of an issue. Not only is the securing
and reliability of the mail datastore important, but the security of
the content during transmission is equally important.
Security of email during transmission is pretty much the exclusive
domain of encryption. Even if the email is able to be captured, the
content is secure unless the content can be decrypted.
Another aspect of email security is securing the servers responsible
for handling email. One of the biggest problems on the Internet
today is the occurrence of UCE (unsolicited commercial email), bet-
ter known as spam. Spam is bulk mail sent to people throughout the
world. Most spam is not sent from the spammer’s system, however.
That would imply that the spammer would need to pay money for
the bandwidth and servers that the spam requires for transmission.
Instead, spammers look for SMTP servers that permit relaying of
mail. Relaying is the capability of the SMTP server to send mail on
behalf of someone else, in this case the spammer. To prevent your
systems from being able to be used in this manner, ensure that you
turn off relaying on the server. Now you might ask why you should
do this, if it doesn’t affect you. Well, aside from consuming your
bandwidth, servers that leave their relays open tend to get added to
various “blacklists” of Internet servers. If configured, other email
servers will not accept email from or allow email to blacklisted
servers.
Any discussion of email would be remiss without a discussion of
viruses. Email is the single biggest method of spreading viruses
today. Unfortunately, the best defense against viruses is the hardest
thing to accomplish—educating users. As a result, it is critical to
employ virus detection and removal software to detect and clean
potentially harmful software. Even this stops short of effective pro-
tection however, because most virus software can only detect and
remove viruses that it knows about. To augment the use of virus pro-
tection software, it is also recommended to block certain high-risk
attachment types from being sent via email. A small list of attach-
ment types to block would be scripts, executables, and files that
contain macros (for example, Microsoft Word documents).
04 078972801x CH02 10/21/02 3:43 PM Page 147
Class A Abuses
Class A network abuse is the result of unauthorized network access
through the circumvention of security access controls. This is some-
times referred to as logon abuse and can range from legitimate users
trying to access resources that they are not allowed to, to external
threats attempting to gain access to a network. There are a number
of techniques and countermeasures for class A network abuse:
04 078972801x CH02 10/21/02 3:43 PM Page 148
Class B Abuses
Class B network abuse is defined by non-business use of systems. This
can be as surreptitious as someone printing personal items on com-
pany resources to as bold as visiting unauthorized Web sites. The
most effective way to counteract class B network abuse is by way of a
defined acceptable use policy (AUP) and an enforceable security
policy with consequences for non-business use of resources. Content
filtering and application proxies can also be used to provide a single
point at which restrictions against unauthorized access can be
enforced. Here are the types of Class B abuses:
á PBX fraud and abuse—PBX fraud costs companies millions
of dollars every year. I know of a case in which a company had
two employees in different countries. These employees were
dating and racking up long-distance charges of up to $5,000
per month, calling each other on the company’s phone system.
Several things can be done to prevent PBX fraud and abuse.
04 078972801x CH02 10/21/02 3:43 PM Page 149
Class C Abuses
Class C network abuse is identified by use of eavesdropping tech-
niques. These techniques can be active or passive in nature and
include everything from listening to what someone is saying to tap-
ping into a network to intercept network traffic. Some techniques
for eavesdropping are
á Network sniffing—Capturing passing packets. As mentioned
previously, network sniffing can provide the watcher with all
the information they could need to compromise a system. One
of the ways to defend against network sniffing, although not a
complete solution, is through the use of switches for a network
infrastructure. The most effective countermeasure though is
through the use of encryption—for example, IPSec—because
data that cannot be decrypted cannot be read.
04 078972801x CH02 10/21/02 3:43 PM Page 150
Class D Abuses
Class D network abuse is identified by denial of service saturation of
network services and resources. There are many types of denial of
service attacks, but here are a few of the more popular:
á SYN flooding—As part of TCP communications, the devices
attempting to communicate must synchronize the manner in
which they will communicate. In a SYN flood, the server is
inundated with requests to open a session, but the session is
never completed. The server must wait for the establishment
timeout to occur to clear the partial session, during which
time it continues to be inundated with requests for more ses-
sions. Eventually, the server runs out of resources with which
to manage sessions and stops responding. SYN floods can be
defended against by employing an IDS to detect and respond
to SYN attacks. Additionally, the timely application of patches
(a common theme) can also help to prevent SYN floods from
being successful. Finally, increasing connection queue size and
decreasing establishment timeouts can also prevent SYN floods
from being successful.
á Buffer overflows—Buffer overflows are generally the result of
poorly written and tested code. Buffer overflows can be exploit-
ed by performing actions that cause the system to run out of
resources with which to service legitimate requests or sending
excessive data that the system is unable to process properly.
In some of the worst cases, buffer overflows can actually pro-
vide the ability to run arbitrary code on the affected system.
04 078972801x CH02 10/21/02 3:43 PM Page 151
Class E Abuses
Class E network abuse is generally defined by network intrusion and
prevention. As with DoS attacks, there are many types of intrusion
to be aware of:
á Spoof attacks—Spoof attacks, or spoofing, is simply the
process of an attacker appearing to be something other than it
is. The goal is to attempt to get traffic delivered to a host that
the hacker has control of. One of the more common spoof
attacks is an ARP redirect in a switched environment. As you
may recall, ARP is used to determine the MAC-to-IP addresses
associations to allow for network communications. Using an
ARP redirect attack, the hacker configures a system to claim to
have a MAC address belonging to another system (typically
the default gateway). When the switch receives traffic destined
for the default gateway, it actually forwards the frame to the
host performing the ARP redirect, because that is where the
switch thinks the MAC address is located. The hacker can
then run a packet sniffer to capture the data, and forward the
frame to the default gateway, ensuring that the user never
detects a problem. One of the countermeasures against ARP
redirects is to maintain static ARP mappings, or to use port-
based security to only allow certain MAC addresses to be used
on certain ports. Another option is to maintain a mapping of
“important” MAC addresses, and monitor traffic to see if
other devices claim to have that MAC address.
á Trojans—Trojans are software that an attacker installs on a
system (for example, by emailing a “check out this great
whack-a-mole game” message) that typically exists to provide
remote control capabilities of the affected system. Trojans are typi-
cally disguised as some sort of useful program, which increases the
odds of it being run. Some common Trojans are Subseven,
NetBus and BackOrifice. Some countermeasures against Trojans
are through the use of file integrity tools such as Tripwire that can
detect when files are added or modified and notify the administra-
tor. Additionally, many commercial virus detection programs
include the ability to detect and clean Trojans. In the case of
Trojans that provide remote control capabilities, a good counter-
measure is the use of egress filtering on your routers and firewalls.
Egress filtering is the process of restricting all outbound traffic,
only allowing the specific outbound traffic that users require.
04 078972801x CH02 10/21/02 3:43 PM Page 153
Class F Abuses
Class F network abuse refers to probing attacks. A variation of eaves-
dropping, probing attacks are used by malicious users to gain infor-
mation about a network in preparation of a network intrusion or
other attack. Depending on the information able to be gathered,
probe attacks can give an intruder a list of services and resources
available on the network, and can even provide a diagram of the net-
work layout and how systems are interconnected. There are a num-
ber of types of probes:
á Port scans—Port scans are used to query a system to deter-
mine the ports, and thus applications running, that are
responding on a system. Port scans can be used to provide a
rather in-depth list of services in use. A countermeasure to
port scans is to only run the required services on devices and
to configure systems to ignore requests for services that it is
not running, as opposed to responding that the service is not
there. This can cause scans to take significantly longer because
the scanner needs to wait for a timeout to occur, thus increas-
ing the likelihood of catching the scanner in the act.
á Banner abuse—Many services use banners that include infor-
mation about the type of system the service is running on.
Examples are HTTP, FTP, and SMTP banners. This informa-
tion can be used to determine the types of exploits to which a
system might be vulnerable. For example, if the FTP banner of
a server tells me that the server is running on Microsoft
Windows, I know what types of vulnerabilities the system
might be susceptible to. A countermeasure for banner abuse is
changing the banner to reflect something other than what the
system is running, or to use proxies for external access to
resources, thus preventing the prober from being able to com-
municate with the target host directly.
04 078972801x CH02 10/21/02 3:43 PM Page 155
What happens if the entire server fails though? This is where the use
of clustering technologies comes into play. There are two types of
clustering concepts:
á Data clustering—Data clustering is the classic redundant
server scenario. In this scenario, the administrator configures
two servers as mirrors of each other, both sharing access to a
common storage system. In the event that one of the servers
fails, the services running on that server can be transferred to
the backup server, hopefully with little to no impact on the
user.
á Network services clustering—Also known as load balancing,
network services clustering is used to improve system perfor-
mance by distributing network requests among multiple
servers which typically have the same functionality. The classic
scenario is Web services, where each server maintains an exact
copy of the Web site, thus allowing any of the servers to ser-
vice client requests. If one of the servers is busy servicing a
client request, another one can service it, and if one of the
servers fails, the other servers can handle requests.
Cable Failures
Cable failures are one of the most common types of network fail-
ures. Each cabling type has different vulnerabilities and effects, as
illustrated in the following:
á Coax cable—Coax cable creates a single point of failure in the
event that the cable is broken in any fashion. If there is a cable
break, all systems on that cable will be unable to communicate.
á Twisted pair—Twisted pair, particularly unshielded twisted
pair, is highly susceptible to interference. Twisted pair also has
a shorter distance limitation than other cable types. On the
high side though, only the device connected will be affected by
the cable failure.
á Fiber-optic cable—Fiber-optic cable is immune to the electro-
magnetic interference that both coax and twisted pair are sus-
ceptible. Fiber optic has much longer distance limitations and
is very fault tolerant, provided it is protected. The biggest
problem with fiber optic is damage to the glass core, but if
properly installed this should virtually never occur.
04 078972801x CH02 10/21/02 3:43 PM Page 159
Topology Failures
One of the beauties of many topology failures is that with a well-
designed network, the failure can be addressed and worked around
via the use of redundancy of design. Each type of network topology
has different vulnerabilities and effects, as illustrated in the follow-
ing:
á Ethernet—Ethernet is the most popular network topology in
use, largely because it can be implemented to be very tolerant
of network failures. This is especially true in star, wired, and
partially meshed hybrid designs.
á Token-Ring—Token-Ring was designed to be more fault tol-
erant than even Ethernet when implemented properly.
Unfortunately the cost of a well-designed Token-Ring topolo-
gy can be the biggest hindrance to good fault tolerance.
á Fiber Distributed Data Interface (FDDI)—Similar in design
to Token-Ring, FDDI uses redundant rings to ensure that if
the primary ring fails, devices can continue to communicate
via the secondary ring.
á Leased lines—Leased lines provide a point-to-point connec-
tion and can be a single point of failure because they generally
have no fault tolerance built into them. Effectively, when a
leased line fails you are at the mercy of the provider to fix it in
a timely fashion. A method of getting around this issue is to
use redundant leased lines that are provided by different
providers. Some networks will even use technologies such as
ISDN to provide on-demand connections in the event of a
leased-line failure.
á Frame relay—Frame relay is one of the most fault tolerant
topologies because it was designed so that if any segment of
the public network fails, traffic is diverted to other network
segments. Fault tolerance can be further augmented by using
multiple providers, similar to how leased lines work.
04 078972801x CH02 10/21/02 3:43 PM Page 160
C A S E S T U DY : C O D E R E D
ESSENCE OF THE CASE SCENARIO
The following points are the essence of the In the late summer and early fall of 2001 there
case: was a series of worms that were released that
. Microsoft has a vulnerability in its Web wreaked havoc on Windows-based computer sys-
server software. tems throughout the world. These worms were
known as CodeRed, CodeRedII, and Nimda.
. Three worms were written that exploited
this vulnerability. CodeRed was a fairly complex worm that was dis-
covered on July 16, 2001. While many worms
. The worms spread by using commonly prior to CodeRed were spread through using
permitted traffic types, SMTP, HTTP, and email, CodeRed was actually spread using the
TFTP to locate and infect other systems. HTTP protocol. The worm was written to exploit a
. The worms would deface legitimate Web known vulnerability in Microsoft Web server docu-
sites. mented in Microsoft security bulletin MS01-033.
The worm functioned by exploiting a buffer over-
. The worms would launch a DoS attack flow in the file IDQ.DLL which is part of the
against a certain IP address. Microsoft Index Server product. CodeRed then
. The worms would further expose sys- potentially did a number of things:
tems by opening administrative access • It would attempt to spread itself by attempt-
on the systems using the guest account. ing to connect systems on randomly deter-
. Due to the nature of the replication pat- mined subnets.
tern, the worms could act as a DoS • On U.S. English systems it would deface
against network infrastructure equip- the Web pages, causing them to display
ment, particularly routers.
Welcome to http:// www.worm.com !
Hacked By Chinese!
C A S E S T U DY : C O D E R E D
What would happen then is that the routers Although we had seen worms use email or HTTP
would issue an ARP request for the IP address, as a delivery mechanism, Nimda was one of the
because the router had no way of knowing that first to use both techniques at the same time, as
the IP address did not exist on the network. All well as using TFTP to spread, which was a fairly
the ARP requests would cause the router to fill new method. Nimda did a number of things:
its buffers waiting for responses that were never
• Nimda used mass mailing to spread itself.
coming, thus preventing real data from passing
through the router. This DoS was particularly • Nimda modified numerous files, which
effective in poorly designed networks that used allowed it to be run anytime any of the mod-
class B address spaces that were largely vacant. ified files were executed.
Part of the beauty of CodeRed is that it really hit
• Nimda would create a large amount of files,
the wild on a Friday, which meant that many sites
which could cause a system to run out of
were totally unprepared for it due to the week-
disk space.
end.
• Nimda opened a significant security hole by
On August 4, 2001, a variant of CodeRed known
sharing the C: drive. In conjunction, Nimda
as CodeRedII was released. CodeRedII used the
added the user “Guest” to the local admin-
exact same exploit, and amazingly there were a
istrators group, allowing for anyone to then
lot of companies that were affected by it as well.
connect to the share as an administrator.
CodeRedII was much more aggressive than
CodeRed, however, and it devoted more
Numerous variants of Nimda have since been
resources to distributing itself, making the effect
released, but all are fundamentally the same in
of the router DoS much more severe. While the
function.
payload of CodeRed was ultimately the DoS
attack against the White House Web site,
CodeRedII was designed to deploy a Trojan on A N A LY S I S
infected systems that provided full remote con- So what can we learn from these three worms?
trol and execution capabilities. This Trojan effec-
tively provided a back door for access to the Web First and foremost in importance is an examina-
server. tion of the date of infection and the date the
exploits were documented by Microsoft. In each
On September 18, 2001, a new worm hit the case, Microsoft had released a patch before the
streets known as Nimda (which is admin spelled worm had hit the street. In the case of Nimda,
backwards). Nimda exploited a Web Folder the patch was released almost a full year prior to
Traversal exploit that allowed a hacker to create the creation of Nimda. The lesson is to apply
a URL that would provide access to any directory patches from vendors in a timely fashion.
structure and files on the server. This exploit was
documented in a Microsoft security bulletin Second, these worms were able to infiltrate
released on October 17, 2000. One of the most companies because they allowed access into the
shocking things about Nimda was the aggressive- network on ports that were generally insecure.
ness with which it attempted to spread itself. continues
04 078972801x CH02 10/21/02 3:43 PM Page 162
C A S E S T U DY : C O D E R E D
continued
I actually had the privilege of using a tool that Fourth, run only those network services that are
would play back traffic it recorded; it was running required. One reason that CodeRed was so suc-
when CodeRed hit. At the company in question, cessful is that virtually every version of Windows
we were able to play back and observe the OS runs a Web server by default. Most adminis-
CodeRed traffic entering the network through the trators do not modify the installation; rather they
VPN connections and through a couple of servers just click Next, Next, Finish, and deploy the sys-
that were accessible via the Web and were able tem regardless of whether it will ever actually be
to access the internal network. In the case of used as a Web server. Had more systems, partic-
Nimda, it required the ability to email an exe- ularly desktops and servers that did not host
cutable attachment in order to spread via email. Web services, not had IIS installed, the impact of
Because many companies did not block executa- these worms would have been significantly less.
bles from being emailed, the worm was able to
Ultimately though, the lesson lies not in blame
spread very easily. The lesson? Implement good
for Microsoft over the fact that the exploits exist
security perimeters and only allow the traffic that
but in the realm of the security professional.
you absolutely need. Filter email traffic as well.
What may well be the worst thing about CodeRed
Third, buffer overflows are a bad thing. While the and Nimda is that patches existed well before
end user has little ability to directly address the worms hit that protected against them and
buffer flows, what the user does have is the abili- they were still able to spread like wildfire. As
ty to come down hard on vendors that do not security professionals, we must be more vigilant.
test their code for overflow vulnerabilities before
they release the software. Microsoft took a beat-
ing over these exploits and should have.
04 078972801x CH02 10/21/02 3:43 PM Page 163
CHAPTER SUMMARY
The Telecommunications and Network Security domain includes a
KEY TERMS
massive amount of information to learn. It provides details on the
processes, systems, and technologies that make up the backbone of • 802.2
networking and network security. • 802.3
We started with an examination of the OSI model and the benefits of • 802.5
using layered architectural design models. We looked at the processes
that occur at each layer, and the protocols that enable them. • Authentication
A P P LY Y O U R K N O W L E D G E
Exercises The type of firewall and firewall design to
implement differ with every network. Because
2.1 Designing Network Topologies multiple servers will need to be accessed by
external resources, a screened subnet firewall
You are the administrator of a new network. The CIO design would be preferred. The screened sub-
has tasked you with the responsibility of designing the net and internal firewall will protect the inter-
corporate network while providing the maximum degree nal network in case the externally accessible
of security. The following requirements have been given: servers are compromised. Likewise, the exter-
á The internal network must be secured against nal firewall will provide some degree of secu-
external and internal threats. rity for the externally accessible servers against
external threats. This can be handled via the
á Several servers will need to be accessed by exter- use of a circuit proxy/stateful inspection fire-
nal users. The internal network must be secured, wall. This will provide an excellent combina-
even if these servers are compromised. tion of speed and security. Using an IDS to
á Traveling and home-office users will need access monitor traffic entering and exiting the
to internal network resources. screened subnet in both directions will further
protect against security compromises.
á Outbound Internet (WWW) access must be
screened and filtered. • Traveling and home office users will need
access to internal network resources.
Estimated Time: 1 hour The most effective method to provide inter-
1. Design and diagram a network topology that will nal access is through the use of VPN connec-
meet these needs. tions. It is also recommended to use multiple
screened subnets, one for the externally acces-
2. To design the most effective solution, let’s review
sible servers and one for the VPN connec-
the requirements:
tions. This allows you to manage each group
• The internal network must be secured against of external traffic separately, as well as provid-
external and internal threats. ing a single point to block VPN access if
required.
The most effective device to implement for
securing a network against external threats is • Outbound Internet (WWW) access must be
a firewall. The most effective method to screened and filtered.
secure against internal threats is to use an IDS
The most effective method to screen outbound
(both network and host based) and to ensure
Internet access is through the use of an applica-
that all systems are properly patched and run-
tion proxy. This can be provided through the use
ning virus protection.
of application proxy firewalls. This is an effective
• A number of servers will need to be accessed internal firewall choice in our screened subnet
by external users. The internal network must design.
be secured, even if these servers are compro-
Figure 2.20 illustrates how the solution comes
mised.
together.
04 078972801x CH02 10/21/02 3:43 PM Page 166
A P P LY Y O U R K N O W L E D G E
Diagram of exercise 1 solution.
Internet
External Router
(Packet Filtering)
Circuit Proxy/Packet
Filtering/Stateful Firewall
Network-Based Intrusion
Detection System
Externally
VPN Users Screened Accessible
Subnet/DMZ Servers
Network-Based Intrusion
Detection System
A P P LY Y O U R K N O W L E D G E
5. What are the six classifications of network abuse, 4. What is the minimum UTP cable specification
and what are their characteristics? that supports transmitting of data at 100Mbps
speeds?
6. How can a network administrator increase the
reliability of network data? A. Category 3
B. Category 5
C. Category 5e
Exam Questions D. 10BASE-T
1. Which OSI layer is primarily responsible for
negotiating dialog control between systems and 5. What is the single point of failure in a star
applications? topology?
2. Routers are devices which function at which layer 6. Which device is responsible for separating
of the OSI Model? broadcast domains?
3. Coaxial cable is typically used in which LAN 7. What is used at the Data Link layer for the
topology? delivery of data to hosts?
A. Mesh A. IP address
C. Star C. ARP
A P P LY Y O U R K N O W L E D G E
8. Ethernet uses which access method? 12. T1 lines are typically used for which type of
WAN connection?
A. Carrier Sense, Multiple Access/Collision
Avoidance A. Circuit-switched
B. Token passing B. Cell-switched
C. Carrier Sense, Multiple Access/Collision C. Remote access
Detection
D. Dedicated
D. LAN emulation
13. CHAP and PAP Authentication can be used with
9. Sending and receiving data at the same time is an which type of technology?
example of which type of communication?
A. HDLC
A. Simplex
B. X.25
B. Multicast
C. Dedicated WAN connections
C. Full-Duplex
D. PPP
D. Half-Duplex
14. What is used as the underlying connection for
10. A device that keeps track of the connection state establishing a VPN connection?
of conversations is known as a(n) ___________?
A. Dial-up remote access
A. Application proxy
B. The Internet
B. NAT device
C. Circuit-switched connections
C. Stateful inspection firewall
D. Dedicated connections
D. Packet filtering firewall
15. What is used for providing connection-oriented
11. Using a perimeter network to secure internal delivery in the TCP/IP protocol suite?
resources from external sources, while still provid-
A. SNMP
ing limited access to devices on the perimeter
network is an example of a _______? B. UDP
A. Packet filtering firewall design C. IP
B. Screened subnet firewall design D. TCP
C. Screened host firewall design 16. What does ARP do?
D. Dual homed host firewall design A. Resolves known IP addresses to MAC
addresses
B. Resolves known MAC addresses to IP
addresses
04 078972801x CH02 10/21/02 3:43 PM Page 169
A P P LY Y O U R K N O W L E D G E
C. Resolves NetBIOS names 21. Social engineering is an example of what class of
network abuse?
D. Resolves hostnames
A. Class A
17. What TSCEC division specifies that discretionary
protection through the use of auditing occurs? B. Class B
A. Division A C. Class C
B. Division B D. Class D
C. Division C 22. Class D network abuse is identified by what?
D. Division D A. Non-business use of systems
18. SWIPE provides security at which layer? B. Denial of service
A. Physical C. Network intrusion
B. Transport D. Probing
C. Application
D. Network
19. S/MIME is used to secure which type of data?
Answers to Review Questions
1. There are three primary benefits to using a lay-
A. Web traffic ered reference model:
B. IPX • It divides the complex network operation into
C. Email smaller, easier-to-manage pieces or layers.
D. Database queries • It facilitates the ability to make changes to the
functions and processes at one layer without
20. A device that examines network traffic to look for
needing to make changes at all layers.
anomalies from the normal traffic patterns is an
example of a(n) _____________? • It defines a standard interface for multi-
vendor integration. By using a standard inter-
A. Application proxy firewall
face, the details of how a particular layer
B. Stateful packet inspection firewall functions are hidden from all the other layers.
C. Behavior-based IDS
See “The OSI Layers” section for more
D. Host-based IDS information.
04 078972801x CH02 10/21/02 3:43 PM Page 170
A P P LY Y O U R K N O W L E D G E
2. The following are the six types of firewalls and a • Dynamic packet filtering—A dynamic pack-
brief description of their characteristics: et filtering firewall is generally used for provid-
ing limited support of connectionless proto-
• Packet filtering—Packet-filtering firewalls
cols such as UDP. It functions by queuing all
are similar in use and function to routers. In
the UDP packets that have crossed the net-
fact, many routers include packet-filtering
work perimeter, and based on that will allow
capabilities. Packet-filtering firewalls function
responses to pass back through the firewall.
by comparing received traffic against a rules
set that defines what traffic is permitted and • Kernel proxy—Kernel proxy firewalls are
what traffic is denied. typically highly customized and specialized
firewalls that are designed to function in ker-
• Application proxy—Application-filtering
nel mode of the operating system. This pro-
firewalls function by reading the entire packet
vides for modular, kernel-based, multi-layer
up to the Application layer before making a
session evaluation using customized TCP/IP
filtering decision. Whereas a packet-filtering
stacks and kernel-level proxies.
firewall generally cannot differentiate between
the valid application data and invalid applica-
See the “Firewalls” section for more information.
tion data, the application proxy firewall can.
3. Secure remote connections and access to the net-
• Circuit proxy—Circuit proxy firewalls are a
work can be provided through the use of VPN
bit of a hybrid between application proxies
connections. A good VPN connection will use
and packet-filtering firewalls. With a circuit
both authentication and encryption to ensure
proxy, the firewall creates a circuit between
that only permitted connections are allowed to be
the source and destination without actually
established and that all the data transmitted is
reading and processing the application data.
encrypted for security. See the “Providing Remote
In that sense, it is a proxy between the source
Access” and “VPNs (Virtual Private Networks)”
and destination. However, because it does not
sections for more information.
actually process the application data, it is
functionally like a packet filter. 4. Authentication is a process in which the identity
of the remote host is validated. Encryption is a
• Stateful inspection—All firewalls being con-
process in which the data transmitted is secured
sidered today should perform stateful packet
so that it can be read only by the correct destina-
inspection. When a host sends a packet to the
tion host. A secure network data delivery process
destination, the destination is going to process
combines both authentication and encryption to
the data and potentially send a response. This
validate the source and destination systems and
network connection state is tracked by the
protect the integrity of the data. See the
firewall and then used in determining what
“Wireless” section and “Network Layer Security”
traffic should be allowed to pass back through
section for more information.
the firewall. Because these firewalls can exam-
ine the state of the conversation, they can even
monitor and track protocols that are otherwise
considered connectionless, such as UDP or
certain types of remote procedure call traffic.
04 078972801x CH02 10/21/02 3:43 PM Page 171
A P P LY Y O U R K N O W L E D G E
5. The following are the six classifications of net- Depending on the information that can be
work abuse, and a brief description of their char- gathered, probe attacks can give an intruder a
acteristics: list of services and resources available on the net-
work, and can even provide a diagram of the
• Class A abuses—Class A network abuse is
network layout and how systems are intercon-
the result of unauthorized network access
nected.
through the circumvention of security access
controls. This is sometimes referred to as
See the “Common Attacks and
logon abuse, and can range from legitimate
Countermeasures” section for more information.
users trying to access resources that they are
not allowed to, to external threats attempting 6. Reliability of network data can be best assured
to gain access to a network. through the use of fault-tolerant systems and data
recovery methods. Some examples of fault-
• Class B abuses—Class B network abuse is
tolerant systems are the use of RAID to protect
defined by non-business use of systems. This
data-storage systems and clustering to provide
can be as surreptitious as someone printing
fail-over redundancy. If the network administra-
personal items on company resources to as
tor is unable to prevent the failure, the use of
bold as visiting unauthorized Web sites.
data backup and recovery systems can further
• Class C abuses—Class C network abuse is provide data reliability. See “Fault Tolerance and
identified by the use of eavesdropping tech- Data Restoration” for more information.
niques. These techniques can be active or
passive in nature and include everything from
listening to what someone is saying to tap-
ping into a network to intercept network Answers to Exam Questions
traffic. 1. B. The Session layer is responsible for negotiating
• Class D abuses—Class D network abuse is dialog control between systems and applications.
identified by denial of service saturation of The Application layer is responsible for interfac-
network services and resources. ing to the user. The Internet layer is not an OSI
layer. The Transport layer is responsible for end-
• Class E abuses—Class E network abuse is to-end communications. See “Session Layer” for
generally defined by network intrusion and more information.
prevention.
2. D. Routers function at the Network layer of the
• Class F abuses—Class F network abuse refers OSI model. Switches and bridges function at the
to probing attacks. A variation of eavesdropping, Data Link layer. The Internet layer is not an OSI
probing attacks are used by malicious users to layer, but routers could be considered Internet
gain information about a network in prepara- layer devices. Hubs and repeaters function at the
tion of a network intrusion or other attack. Physical layer. See “Network Layer” for more
information.
04 078972801x CH02 10/21/02 3:43 PM Page 172
A P P LY Y O U R K N O W L E D G E
3. B. Coaxial cable is typically used in a linear bus 9. C. Full-duplex allows a system to send and
topology. Mesh, star, and tree topologies are typi- receive data at the same time. Simplex is uni-
cally created with UTP cabling. See “Coax” and directional transmission only. Multicast is an
“Linear Bus Topology” for more information. addressing method that allows multiple hosts to
receive the same data. Half-duplex is a bidirec-
4. B. Category 5 is the minimum UTP specification
tional transmission method, however it can only
that will run at 100Mbps. Category 3 is not
transmit in one direction at a time. See
capable of transmitting data at 100Mbps.
“Ethernet” for more information.
Although category 5e is capable of transmitting
at 100Mbps, it is not the minimum specification. 10. C. A stateful packet inspection firewall keeps
10BASE-T is not a UTP cable specification. See track of the connection state of conversations.
“Unshielded Twisted Pair” for more information. Application proxies process the data packet to
verify that it is the proper application data. NAT
5. C. The hub or switch is the single point of failure
devices simply translate addresses. Packet filtering
in a star topology. Cable failures in a start topolo-
firewalls do not track connection state; they sim-
gy affect only the devices connected to that cable.
ply forward or filter based on access lists. See
Computer or NIC failures affect only the device
“Firewalls” for more information.
in question. See “Star Topology” for more infor-
mation. 11. B. A screened subnet firewall design protects
internal resources by using a perimeter network,
6. A. Routers are responsible for separating broad-
while providing external access to devices on the
cast domains. Switches and bridges will forward
perimeter network. A packet-filtering firewall
broadcasts, potentially creating broadcast storms
design does not contain a screened subnet. In a
in a looped network. Repeaters repeat every sig-
screened host firewall design the exposed host is
nal, regardless of what it is. See “Network Layer”
on the internal network, not on a perimeter net-
and “Routers” for more information.
work. A dual-homed host firewall uses a host that
7. D. The hardware address is used at the Data Link is connected to the external and internal network;
layer for delivering data to hosts. IP and IPX however, it will not forward packets between
addresses are used for logical addressing at the those networks. See “Firewalls” for more informa-
Network layer. ARP is used to resolve IP address- tion.
es to MAC addresses; it is not used for the deliv-
12. D. T1 lines are typically used for dedicated WAN
ery of data. See “Data Link Layer” for more
connections. Circuit-switched connections are
information.
typically used for dial-up and backup connec-
8. C. Ethernet uses Carrier Sense, Multiple Access/ tions. Cell-switched connections are used in
Collision Detection for its access method. Token ATM. Remote access is not a WAN access con-
passing is used in FDDI and Token-Ring net- nection as much as it is an access method. See
works. Carrier Sense, Multiple Access/Collision “Dedicated Connections” for more information.
Avoidance is used for Arcnet. LAN Emulation is
used for ATM networks. See “Ethernet” for more
information.
04 078972801x CH02 10/21/02 3:43 PM Page 173
A P P LY Y O U R K N O W L E D G E
13. D. CHAP and PAP authentication is used with See “Network Layer Security Protocols” for more
PPP. HDLC and X.25 do not use authentication. information.
Dedicated WAN connections is not a valid
19. C. S/MIME is used to provide security for email
response. See “Point-to-Point Protocol and Serial
data. Web traffic is secured via HTTPS and SSL.
Line Internet Protocol” for more information.
IPX can be secured by encapsulating it in other
14. B. The Internet is used as the underlying connec- protocols. Database queries can be secured by
tion for establishing VPNs. Dial-up remote access application/Presentation layer encryption or
is when the user dials into the corporate network encapsulating it in other protocols such as IPSec.
directly. Circuit-switched and dedicated connec- See “Application Layer Security Protocols” for
tions are WAN connection methods, not VPN more information.
connection methods. See “Virtual Private
20. C. A behavior-based IDS looks for anomalies in
Networks” for more information.
traffic patterns. An application proxy firewall
15. D. TCP is used for providing connection-oriented proxies connections between hosts and examines
communications in the TCP/IP protocol suite. the application data to ensure integrity. Stateful
SNMP is used for managing IP devices. UDP and packet inspection firewalls track conversation
IP are connectionless. See “Transport Layer state to determine whether to permit or deny
Protocols” for more information. traffic. Host-based IDSs run on and monitor an
individual host. While a host-based IDS might be
16. A. ARP resolves a known IP address to an
a behavior-based IDS, it does not have to be one.
unknown MAC address. RARP resolves known
See “Intrusion Detection” for more information.
MAC addresses to unknown IP addresses. WINS
resolves NETBIOS names. DNS resolves host 21. A. Social engineering is an example of Class A
names. See “Internet Layer Protocols” for more network abuse. Class B network abuse is indicated
information. by abuse of network resources. Class C network
abuse is indicated by the use of eavesdropping.
17. C. TSCEC division C specifies that discretionary
Class D network abuse is indicated by a denial of
protection through the use of auditing should
service or saturation of network resources. See
occur. Division A uses formal security verification
“Common Attacks and Countermeasures” for
to ensure security. Division B specifies that
more information.
mandatory access rules exist. Division D uses
minimal protection, if any. See “Trusted Network 22. B. Class D network abuse is identified by denial
Interpretation” for more information. of service. Non-business use of systems is an
example of Class B network abuse. Network
18. D. SWIPE provides Network layer security.
intrusion is an example of Class E network abuse.
Application layer security is provided through
Probing is an example of Class F network abuse.
protocols such as S/MIME and PEM. SSL and
See “Common Attacks and Countermeasures” for
TLS are protocols that provide Transport layer
more information.
security. Physical layer security can be provided
by controlling access to the physical cabling.
04 078972801x CH02 10/21/02 3:43 PM Page 174
A P P LY Y O U R K N O W L E D G E
Suggested Readings and Resources
OBJECTIVES
C H A P T E R 3
Security Management
and Practices
05 078972801x CH03 10/21/02 3:41 PM Page 176
OBJECTIVES
Know how to set policies and how to derive Determine how employment policies and prac-
standards, guidelines, and implement proce- tices are used to enhance information security
dures to meet policy goals. in your organization.
. Policies are the blueprints of the information secu- . Even with the press concentrating on the effects of
rity program. From policies, you can set the stan- denial-of-service attacks and viruses, the biggest
dards and guidelines that will be used throughout threats come from within. Improving on the
your organization to maintain your security pos- employment policies and practices to perform bet-
ture. Then, using those standards, you can create ter background checks and better handle hiring and
procedures that can implement the policies. termination, as well as other concerns to help mini-
mize the internal threat, are important information
security practices.
Set information security roles and responsibili-
ties throughout your organization.
Use change control to maintain security.
. From management to the users, everyone who has
access to your organization’s systems and networks . One of the jobs of a Trojan horse is to replace a
is responsible for their role in maintaining security program with one that can be used to attack the
as set by the policies. Understanding these roles and system. Change control is one defense against this
responsibilities is key to creating and implementing type of attack. Using change control to maintain
security policies and procedures. the configuration of programs, systems, and net-
works, you can prevent changes from being used to
attack your systems.
Understand how the various protection
mechanisms are used in information security
management. Know what is required for Security Awareness
Training.
. Protection mechanisms are the basis of the data
architecture decision that will be made in your . The best security policies and procedures are inef-
information security program. These are the basis fectual if users do not understand their roles and
for the way data is protected and provide a means responsibilities in the security environment.
for access. Training is the only way for users to understand
their responsibilities.
Understand the considerations and criteria for
classifying data.
. Protecting data is the objective of every information
security program. Therefore, we look at how that
data can be classified so it can be securely handled.
05 078972801x CH03 10/21/02 3:41 PM Page 177
OUTLINE
OUTLINE S T U DY S T R AT E G I E S
Job Descriptions 225 . Even if you are not part of your organization’s
Job Rotation 225 management team, watch how management
works in the information security environment.
Take the practices and strategies written here
Managing Change Control 226 and look at not only how your organization
Hardware Change Control 226 implements them, but how they can be
improved. This type of lateral thinking will help
Software Change Control 227
on the exam and can make you a valuable con-
tributor to your organization’s security posture.
Security Awareness Training 227 . The notes throughout the chapter point out key
definitions and concepts that could appear on
the exam. They are also key components that
Chapter Summary 228 all managers should understand.
INTRODUCTION
Security management can be difficult for most information security
professionals to understand. It is the bridge between understanding
what is to be protected and why those protections are necessary.
05 078972801x CH03 10/21/02 3:41 PM Page 180
The CIA triad comprises all the principles on which every security
program is based. Depending on the nature of the information
assets, some of the principles might have varying degrees of impor-
tance in your environment.
Confidentiality
Confidentiality determines the secrecy of the information asset.
Determining confidentiality is not a matter of determining whether
information is secret or not. When considering confidentiality, man-
agers determine the level of access in terms of how and where the
data can be accessed. For information to be useful to the organiza-
tion, it can be classified by a degree of confidentiality.
To prevent attackers from gaining access to critical data, a user who
might be allowed access to confidential data might not be allowed to
access the service from an external access port. The level of confiden-
tiality determines the level of availability that is controlled through
various access control mechanisms.
Protections offered to confidential data are only as good as the secu-
rity program itself. To maintain confidentiality, the security program
must consider the consequences of an attacker monitoring the net-
work to read the data. Although tools are available that can prevent
the attacker from reading the data in this manner, safeguards should
be in place at the points of transmission, such as by using encryp-
tion or physically safeguarding the network.
Another attack to confidentially is the use of social engineering to
access the data or obtain access. Social engineering is difficult to
defend because it requires a comprehensive and proactive security
awareness program. Users should be educated about the problems
and punishments that result when they intentionally or accidentally
disclose information. This can include safeguarding usernames and
passwords from being used by an attacker.
Cryptography is the study of how to scramble, or encrypt, informa-
tion to prevent everyone but the intended recipient from being able
to read it. Encryption implements cryptography by using mathemat-
ical formulas to scramble and unscramble the data. These formulas
use an external piece of private data called a key to lock and unlock
the data.
05 078972801x CH03 10/21/02 3:41 PM Page 182
Cryptography can trace its roots back 4,000 years to ancient Egypt
where funeral announcements were written using modified hiero-
glyphics to add to their mystery. Today, cryptography is used to keep
data secret. For more information on cryptography, see Chapter 5,
“Cryptography.”
Integrity
With data being the primary information asset, integrity provides the
assurance that the data is accurate and reliable. Without integrity,
the cost of collecting and maintaining the data cannot be justified.
Therefore, policies and procedures should support ensuring that data
can be trusted.
Mechanisms put in place to ensure the integrity of information
should prevent attacks on the storage of that data (contamination)
and on its transmission (interference). Data that is altered on the net-
work between the storage and the user’s workstation can be as
untrustworthy as the attacker altering or deleting the data on the
storage media. Protecting data involves both storage and network
mechanisms.
Attackers can use many methods to contaminate data. Viruses are
the most frequently reported in the media. However, an internal
user, such as a programmer, can install a back door into the system
or a logic bomb that can be used attack the data. After an attack is
launched, it might be difficult to stop and thus affect the integrity of
the data. Some of the protections that can be used to prevent these
attacks are intrusion detection, encryption, and strict access controls.
Not all integrity attacks are malicious. Users can inadvertently store
inaccurate or invalid data by incorrect data entry, an incorrect deci-
sion made in running programs, or not following procedures. They
can also affect integrity through system configuration errors at their
workstations or even by using the wrong programs to access the
data. To prevent this, users should be taught about data integrity
during their information security awareness training. Additionally,
programs should be configured to test the integrity of the data
before storing it in the system. In network environments, data can
be encrypted to prevent its alteration.
05 078972801x CH03 10/21/02 3:41 PM Page 183
Availability
Availability is the ability of the users to access an information asset.
Information is of no use if it cannot be accessed. Systems should
have sufficient capacity to satisfy user requests for access, and net-
work architects should consider capacity as part of availability.
Policies can be written to enforce this by specifying that procedures
be created to prevent denial-of-service (DoS) attacks.
More than just attackers can affect system and network availability.
The environment, weather, fire, electrical problems, and other fac-
tors can prevent systems and networks from functioning. To prevent
these problems, your organization’s physical security policies should
specify various controls and procedures to help maintain availability.
Yet access does not mean that data has to be available immediately.
Availability of information should recognize that not all data has to
be available upon request. Some data can be stored on media that
might require user or operator intervention to access. For example,
if your organization collects gigabytes of data daily, you might not
have the resources to store it all online. This data can be stored on
an offline storage unit, such as a CD jukebox, that does not offer
immediate access.
Privacy
Privacy relates to all elements of the CIA triad. It considers which
information can be shared with others (confidentiality), how that
information can be accessed safely (integrity), and how it can be
accessed (availability).
As an entity, privacy is probably the most watched and regulated
area of information security. Laws, such as the U.S. Federal Privacy
Act of 1974, provide statutes that limit the government’s use of
citizens’ personal data. More recently, the Health Insurance
Portability and Accountability Act (HIPAA) authorizes the
Department of Health and Human Services to set the security and
privacy standards to cover processing, storing, and transmitting indi-
vidual’s health information to prevent inadvertent or unauthorized
use or disclosure.
05 078972801x CH03 10/21/02 3:41 PM Page 184
NOTE
identification and authentication. Understand the Principle of
Authentication Authentication is a
The process of identification and authentication is usually a matter of what the entity knows, what
two-step process, although it can involve more than two steps. they might have, or who the entity is.
Identification provides the resource with some type of identifier of For strong authentication, use at least
who is trying to gain access. Identifiers can be any public or private two of these principles.
information that is tied directly to the entity. To identify users, the
common practice is to assign the user a username. Typically,
organizations use the user’s name or employee identification number
as a system identifier. There is no magic formula for assigning
usernames—it is a matter of your preference and what is considered
the best way of tracking users when information appears in log files.
The second part of the process is to authenticate the claimed identity.
The following are the three general types of authentication:
á What the entities know, such as a personal identification num-
ber (PIN) or password
á What the entities have, such as an access card, a smart card, or
a token generator
á Who or what the entity is, which is usually identified through
biometrics
Passwords
Of these methods, passwords and PINs are the most common forms
of authentication. Although passwords become the most important
part of the process, they also represent the weakest link. As a security
manager, you must manage the process in such a way to minimize
the weakness in the process.
05 078972801x CH03 10/21/02 3:41 PM Page 186
NOTE
authentication that satisfies the “what you have” scenario. Token PKI Using public key or asynchro-
nous encryption technologies requires
devices come in two forms: synchronous and asynchronous. A
the use of a public key infrastructure
synchronous token is time-based and generates a value that is
(PKI) to manage the process.
used in authentication. The token value is valid for a set period
of time before it changes and is based on a secret key held by
both the token (usually a sealed device) and the server providing
authentication services. An asynchronous token uses a challenge-
response mechanism to determine whether the user is valid.
After the user enters the identification value, the authentication
server sends a challenge value. The user then enters that value
into the token device, which then returns a value called a token.
The user sends that value back to the server, which validates it
to the username. Figure 3.2 demonstrates these steps.
FIGURE 3.2
1 Authentication using an asynchronous token
4 device.
6
5
2
3
Authentication
Server
Nonrepudiation
Nonrepudiation is the ability to ensure that the originator of a com-
NOTE
Keystroke Monitoring
Keystroke monitoring is a type of audit that monitors what a user
types. It watches how the user types individual words, commands, or
NOTE
other common tasks and creates a profile of that user’s characteris- Magic Lantern The FBI has been
tics. The keystroke monitor can then detect whether someone other looking at new ways of doing covert
than the profiled user tries to use the system. investigation of criminals on the
Internet. One tool they use is called
Another form of keystroke monitoring is the capture of what the Magic Lantern. As a follow-up to the
user types. These types of keystroke monitors capture some of the Carnivore program, the FBI covertly
basic user input events, allowing forensic analysis of what the user is installs Magic Lantern on a targeted
doing. This is a more controversial form of auditing because it has computer system to trap keystroke
been used by law enforcement in recent high-profile cases. and mouse information. Magic
Lantern has been used to break the
In either case, there are two problems with this type of auditing: encryption of a suspected criminal. As
this is written, that case has yet to
á The generation of a lot of data
come to trial, but the constitutionality
á Privacy issues of the FBI using Magic Lantern will be
a central question.
Because of the nature of the data captured, no clipping level can be
set. Therefore, you must ensure that there is enough storage for all
the captured information to be stored.
Privacy issues are a concern in all types of monitoring, but especially
with keyboard monitoring. Unless used by law enforcement with the
proper authorization, you should ensure that your organization has the
proper policies in place and users have been notified of those policies.
05 078972801x CH03 10/21/02 3:41 PM Page 190
Otherwise, you run the risk of being accused of violating a user’s civil
rights and liberties. Although this has not been resolved in the courts,
you should not try this without the proper policies in place because
you do not know what would happen if the monitored user tried to
test this in court.
Documentation
When I talk to organizations about the condition of their security
documentation, most admit that it is not up-to-date. Others say that
it is too accessible because it details the controls and settings of vari-
ous devices. In either case, documentation can become a weak link
in the security chain. By not keeping up with documentation, there
could be no explanation of how the controls are configured to satisfy
policies, which would make their replacement in an emergency situ-
ation difficult.
05 078972801x CH03 10/21/02 3:41 PM Page 191
Network’s Importance to Security and management had the problem of maintaining the integrity of the
Management Network management network and the information being used on the systems on the net-
is also important to security manage- works. Although there is a move to try to centralize management of
ment. You should understand the
servers and information security, information security management
roles of networks and some of the
needs to take into account everywhere the information assets touch.
tools, such as virtual private networks
(VPNs) and extranets. Network computing has brought new paradigms to the sharing of
information. Using technologies such as virtual private networks
(VPNs) and extranets, organizations can forge new types of relation-
ships based on sharing information assets. These partnerships have
organizations connecting their networks to share information in a
way that was unheard of as recently as 10 years ago. Managers plan-
ning these partnerships also should keep in mind how to maintain
the security of other information assets not involved in those agree-
ments. Both organizations should consider undergoing a risk analysis
specific to the connectivity required for this partnership to provide
appropriate protections.
Risk Factor
á Physical damage—Can result from natural disasters or other
factors, such as power loss or vandalism.
á Malfunctions—The failure of systems, networks, or
peripherals.
á Attacks—Purposeful acts whether from the inside or outside.
Misuse of data, such as unauthorized disclosure, is an attack
on that information asset.
á Human errors—Usually considered accidental incidents,
whereas attacks are purposeful incidents.
á Application errors—Failures of the application, including the
operating system. These are usually accidental errors, whereas
exploits of buffer overflows or viruses are considered attacks.
Every analyzed information asset has at least one risk category asso-
ciated with one risk factor. Not every asset has more than one risk
category or more than one risk factor. The real work of the risk
analysis is to properly identify these issues.
05 078972801x CH03 10/21/02 3:41 PM Page 194
Risk Analysis
Risk analysis is a process that is used to identify risk and quantify the
NOTE
Risk Analysis Identifies a risk, quan- possible damages that can occur to the information assets to deter-
tifies the impact, and assesses a mine the most cost-effective way to mitigate the risks. A risk analysis
cost for mitigating the risk.
also assesses the possibility that the risk will occur in order to weigh
the cost of mitigation. As information security professionals, we
would like to create a secure, risk-free environment. However, it
might not be possible to do so without a significant cost. As a secu-
rity manager, you will have to weigh the costs versus the potential
costs of loss.
IN THE FIELD
TABLE 3.1
B A S I C R I S K A N A LY S I S ON A $10,000 A S S E T
Cost of
Countermeasure Gain/(Loss) Analysis
$0 ($10,000) By doing nothing, if the asset is lost, there
could be a complete loss that costs $10,000.
$5,000 $5,000 If the countermeasure costs $5,000, you will
gain $5,000 in providing the protection by
mitigating the loss.
$10,000 $0 The cost of the countermeasure equals the
cost of the asset. Here, you might weigh the
potential for the countermeasure to be need-
ed before making a decision.
Loss Potential This is what would be fying the threat agents that can cause a threat to the environment.
lost if the threat agent is successful Threat agents can be human, programmatic (such as an error or
in exploiting a vulnerability. malware), or a natural disaster. The risk factors in the previous sec-
tion provide a view into the number of possible threat agents an
asset could have. Audits look at all the potential threat agents and
determine which factors result in the risk to the asset.
NOTE
Asset Valuation
There are two ways to evaluate assets and the risk associated with their
loss. The quantitative approach attempts to assign a dollar value to the
NOTE
IN THE FIELD
Some might feel that their own systems and security professionals
could perform the risk assessment. They do know the systems and
understand the processing that occurs. However, although the peo-
ple your company employs might be very competent, they might be
too intimate with operations to be able to tell a technical risk from
a process risk. Outsiders do not have the same ties, so they are
not prejudiced by “what has been.”
When selecting an outside company to do a risk assessment,
make sure it has the resources to understand the latest security
information and industry best practices so it can provide a com-
plete risk assessment. It must understand all the risks involved in
all aspects of information technology. Because these companies do
this on a daily basis, they have more insights into what to expect
as they perform their tests.
STEP BY STEP
3.1 Risk Analysis Steps
1. Identify the assets. When you identify your information
assets, you must consider more than the systems and net-
work components. Information assets can also be the
organization’s data. A company’s sales data that contains
customer information and buying habits is as much of an
asset as the disk and systems that store the information.
Risk analysts will look at the organization’s business
process and ask which information is important to the
business processes. In this process, more emphasis can be
put on the information that is important, such as sales
data, rather than the company phone book.
This is where maintaining documentation and having a
solid configuration management system can help. Rather
than forcing a full discovery of all assets, including pro-
grams and databases, the documentation and configuration
management systems can point to the bulk of the assets
and provide a basis to begin the analysis. This is not to say
that a risk assessment cannot be performed without this
help. Some risk assessments are performed to gather this
information, which is perfectly reasonable when establish-
ing a new or more stringent information security program.
2. Next, you must assign value to the assets. Assigning value
is not a simple task. For hardware or software, the value
can be the purchase or the replacement costs. Setting the
value to information assets is where the process becomes
difficult. To determine value, you would answer the fol-
lowing questions:
• How much revenue does this data generate?
• How much does it cost to maintain?
05 078972801x CH03 10/21/02 3:41 PM Page 199
continues
05 078972801x CH03 10/21/02 3:41 PM Page 200
continued
5. The frequency of occurrence is used to estimate the per-
centage of loss on a particular asset because of a threat.
Also called the exposure factor (EF), this value recognizes
that a threat does not result in a total loss. For example, a
fiber-optic cable running between two buildings being cut
by a maintenance worker affects only the cable and the
productivity for its cut, which might be only 20% of the
organization’s infrastructure. For this asset, the EF would
be 0.20 for calculations.
Risk analysis is based on the loss over the course of a year.
The annualized rate of occurrence (ARO) is the ratio of the
estimated possibility that the threat will take place in a
1-year time frame. The ARO can be expressed as 0.0 if the
threat will never occur, through 1.0 if the threat will
always occur. For example, the ARO for a workstation
virus might be set to 1.0, whereas a power outage to the
network operations center that might occur once every 4
years would have an ARO of 0.25.
6. Now that the collection of facts and figures has been com-
NOTE
TABLE 3.2
A S A M P L E C A L C U L AT I O N FOR ALE
A cost/benefit analysis looks at the ALE, the annual cost of the safe-
guard, and the ALE after the countermeasure is installed to deter-
mine whether the costs show a benefit for the organization. The
calculation can be written as follows:
Value of Countermeasure = ALE (without countermeasure) –
Cost (safeguard) – ALE (with countermeasure)
Using the Web server example from Table 3.2, let’s say that the cost
of a universal power supply (UPS)—to purchase and operate—is
$1,000 per year. Even with the UPS, the exposure factor (EF) is
reduced to 5% (0.05) because a power outage that lasts longer than
the UPS can supply power is possible. The utility reports that an
outage that will last longer than the UPS occurs once every 5 years,
reducing the annual rate of occurrence (ARO) to 20% (0.20). Thus,
the following calculation should be used:
ALE (with UPS) = Cost (Web server) × EF × ARO
ALE (with UPS) = $25,000 × $1,250 × 0.20
ALE (with UPS) = $250
With the UPS, the ALE is now $250. Using that for the cost/benefit
analysis, you can calculate the following:
Value of countermeasure = $3,125 – $1,000 – $250
Value of countermeasure = $1,875
One area skipped over was the operation cost of the UPS. The cost
of operating the UPS can be a combination of power usage, modifi-
cations that might have been necessary to install the device, mainte-
nance, and so on. When looking at the actual cost of the counter-
measure during a cost/benefit analysis, all the costs need to be
considered. If the countermeasure affects productivity, the loss must
be accounted for. Should there be additional testing, those costs also
must go into the cost of the countermeasure to get its true cost.
This is also not a straightforward analysis. Some threats might occur
NOTE
Effectiveness and Functionality of once over a period of 10 years or more. Even for expensive assets, an
Countermeasures Choosing a coun- ARO of less than 0.10 can cause the analyst to consider whether the
termeasure for the amount of cost is countermeasure is worth the cost over the entire time to prevent the
a pure business way of analyzing risk.
threat. For example, the likelihood of an earthquake destroying
However, as security professionals, we
the network operations center in the New York City area is very low,
understand that regardless of the
cost, the countermeasure is not worth
even in an area that has seen some earthquakes. Seismologists might
using unless it protects the asset. think that an earthquake causing some damage would occur once
Information security professionals every 15 years (an ARO of 6.67%). But is this enough of a threat to
should work with business people to provide countermeasures for?
select the most effective counter-
Another consideration is countermeasures that can protect against
measure that will function to properly
multiple threats. That potential earthquake in New York might be
protect the asset.
mitigated by the rigorous building construction guidelines that keep
buildings from toppling in high winds. In an information security
context, a firewall can be used as a filter to prevent various network-
based attacks and as a content filter to stop malicious mobile code.
R E V I E W B R E A K
Tying It Together
Risk assessment tells the organization what the risks are; it is up to
the organization to determine how to manage the risks. Risk man-
agement is the trade-off an organization makes regarding that risk.
You should remember that not every risk could be mitigated. It is
the job of management to decide how that risk is handled. In basic
terms, the choices are
. Do nothing—If you do this, you must accept the risk and the
NOTE
These decisions can be made only after identifying the assets, analyz-
ing the risk, and determining countermeasures. Management uses
these steps to make the proper decisions based on the risks found
during this process. Figure 3.3 illustrates these steps.
FIGURE 3.3
The three steps of a risk analysis.
Step 3: Select and Implement
Countermeasures
that follow the policies. Figure 3.4 shows the relationships between
these processes. The rest of this section discusses how to create these FIGURE 3.4
processes. The relationships of the security processes.
05 078972801x CH03 10/21/02 3:41 PM Page 206
Specifications Information security part of policies. Procedures are implementation details; a policy is a
policies are the blueprints, or specifi- statement of the goals to be achieved by procedures. General terms
cations, for a security program. are used to describe security policies so that the policy does not get
in the way of the implementation. For example, if the policy speci-
fies a single vendor’s solution for a single sign-on, it will limit the
company’s ability to use an upgrade or a new product. Although
your policy documents might require the documentation of your
implementation, these implementation notes should not be part of
your policy.
Although policies do not discuss how to implement information
security, properly defining what is being protected ensures that prop-
er control is implemented. Policies tell you what is being protected
and what restrictions should be put on those controls. Although
product selection and development cycles are not discussed, policies
should help guide you in product selection and best practices during
deployment. Implementing these guidelines should lead to a more
secure environment.
TABLE 3.3
SAMPLE LIST OF POTENTIAL POLICIES
User and
Physical Policies Access Control Policies External Access Policies
Acceptable Use Authentication and Access Internet Security
Controls Encryption
Network Architecture Public Key Infrastructures VPN Access
Setting Standards
When creating policies for an established organization, there is an
existing process for maintaining the security of the assets. These
policies are used as drivers for the policies. For other policies in
which there are no technology drivers, standards can be used to
establish the analysts’ mandatory mechanisms for implementing the
policy.
05 078972801x CH03 10/21/02 3:41 PM Page 210
Creating Baselines
Baselines are used to create a minimum level of security necessary to
meet policy requirements. Baselines can be configurations, architec-
tures, or procedures that might or might not reflect the business
process but that can be adapted to meet those requirements. You can
use these baselines as an abstraction to develop standards.
Most baselines are specific to the system or configuration they repre-
sent, such as a configuration that allows only Web services through a
firewall. However, like most baselines, this represents a minimum
standard that can be changed if the business process requires it. One
example is to change the configuration to allow a VPN client to
access network resources.
Guidelines
Standards and baselines describe specific products, configurations, or
other mechanisms to secure the systems. Sometimes security cannot
be described as a standard or set as a baseline, but some guidance is
necessary. These are areas where recommendations are created as
guidelines to the user community as a reference to proper security.
For example, your policy might require a risk analysis every year.
Rather than require specific procedures to perform this audit, a
guideline can specify the methodology that is to be used, leaving the
audit team to work with management to fill in the details.
MANAGEMENT RESPONSIBILITY
Know what management’s responsibility is in the
information security environment.
Management’s responsibility goes beyond the basics of support. It is
not enough just to bless the information security program; manage-
ment must own up to the program by becoming a part of the
process. Becoming part of the process involves showing leadership in
the same manner that managers show leadership in other aspects of
the organization.
Management has specific goals for the organization, and most secu-
rity and information system professionals are not in the position to
understand or appreciate these nuances. Because security is not
something that can be wrapped into a package and bought off the
shelf, management must drive the attitudes for creating a good secu-
rity program. This can only come after the analysis of risks, costs,
and the requirements to ensure that information is not too secure to
access. Management is responsible for doing the analysis and con-
veying this to the technical people responsible for implementing
these policies.
IN THE FIELD
UNDERSTANDING PROTECTION
MECHANISMS
Understand how the various protection mechanisms are
used in information security management.
Protection mechanisms are used to enforce layers of trust between secu-
rity levels of a system. Particular to operating systems, trust levels are
used to provide a structured way to compartmentalize data access and
create a hierarchical order. These protection mechanisms are used to
protect processes and data and are discussed in the following sections:
á Layering
á Abstraction
á Data Hiding
á Encryption
05 078972801x CH03 10/21/02 3:41 PM Page 216
Layering
Most systems use a form of layering as a way to protect system
resources. A traditional kernel-based operating system, such as Unix,
uses a two-layer approach in which the system resources are man-
aged in a protected kernel and everything else runs in an outer layer
known as the user’s space. If a process running in the user’s space
wants to access a protected resource, such as the disk, it makes a
request to the kernel layer to perform the action.
Layering is specific to protecting operating system resources and to
setting security zones. Systems used for military applications are
designed to allow access to classified information based on the pro-
tection zone within which they are allowed to run. To do this, the
Bell-LaPadula protection model was developed. Using this multilayer
system, the different zones are used to keep data classified within a
particular zone (see Figure 3.5). Users must have access to the zone
to use the data, and the data cannot be moved between zones with-
out special permission. This lattice of rights is also called “no write
down” and “no read up.” See Chapter 1, “Access Control Systems
and Methodology,” for more information on the Bell-LaPadula pro-
tection mode.
Upper Bound
Public
Abstraction
Abstraction is a common term in the world of object-oriented design.
It is when data is managed as a collection called an object. Objects
are usually defined as classes that define the data and the methods
that can be used to access the object. Methods provide a predictable
way to access the object’s data, which allows the entire data within
the class to be managed as a unit that can enforce access controls
and integrity of the data.
Data Hiding
Sometimes access to data should not be provided—for example, data
values within an application module that are used for internal calcu-
lations. In this case, no access methods are provided as an interface
to this data. This is called data hiding because the data is hidden and
inaccessible from the other layers.
Encryption
Cryptography is the science of creating algorithms used to encrypt
data for the storage or transmission of data. Encryption uses those
algorithms to convert data into an unintelligible form. In basic
terms, encryption uses a secret key, a private value, to perform a
mathematical function on the data to make it unusable by the casual
observer. Traditionally, the same key is required to encrypt and
decrypt the data. This is called symmetric encryption.
Public key cryptography is similar except that the mathematical
functions can use two different but mathematically related keys. The
functions generate two keys: One is kept private, and one can be
given out publicly. If someone wants to send you an encrypted file,
she encrypts it with your public key. Once encrypted, you can only
use the private key to decrypt the message. This is called asymmetric
encryption.
05 078972801x CH03 10/21/02 3:41 PM Page 218
IN THE FIELD
ENCRYPTION
CLASSIFYING DATA
Understand the considerations and criteria for classifying
data.
Throughout this chapter, we have discussed various aspects of pro-
tecting information assets. When we talk about risk analysis and
management, we talk about the most cost-effective way of protecting
the information asset. Part of setting the level of risk associated with
data is placing it in a classification. After data is classified, a risk
analysis can be used to set the most cost-effective ways of protecting
that data from various attacks.
Classifying data is supposed to tell you how the data is to be protected.
More sensitive data, such as human resources or customer information,
can be classified in a way that shows that disclosure has a higher risk.
05 078972801x CH03 10/21/02 3:41 PM Page 219
Commercial Classification
Classification of commercial or nongovernment organizations does
not have a set standard. The classification used is dependent on the
overall sensitivity of the data and the levels of confidentiality desired.
Additionally, a nongovernment organization might consider the
integrity and availability of the data in its classification model.
There is no formula in creating the classification system—the system
used is dependent on the data. Some organizations use two types of
classification: confidential and public. For others, a higher granulari-
ty might be necessary. Table 3.4 contains a typical list of classifica-
tions that can be used for commercial organizations, from highest to
lowest.
TABLE 3.4
C O M M E R C I A L D ATA C L A S S I F I C AT I O N S FROM HIGHEST TO
LOWEST
Classification Description
Sensitive Data that is to have the most limited access and requires a high
degree of integrity. This is typically data that will do the most
damage to the organization should it be disclosed.
Confidential Data that might be less restrictive within the company but might
cause damage if disclosed.
Private Private data is usually compartmental data that might not do the
company damage but must be keep private for other reasons.
Human resources data is one example of data that can be classified
as private.
Proprietary Proprietary data is data that is disclosed outside the company on a
limited basis or contains information that could reduce the com-
pany’s competitive advantage, such as the technical specifications
of a new product.
Public Public data is the least sensitive data used by the company and
would cause the least harm if disclosed. This could be anything
from data used for marketing to the number of employees in the
company.
05 078972801x CH03 10/21/02 3:41 PM Page 220
Government Classification
Government classification of data is something created out of policy
NOTE
Classifications for Sensitive Data for maintaining national security or the privacy of citizen data.
The classifications for the sensitivity Military and intelligence organizations set their classifications on the
of data used in government and mili-
ramifications of disclosure of the data. Civilian agencies also look to
tary applications are top secret,
prevent unauthorized disclosure, but they also have to consider the
secret, confidential, sensitive but
integrity of the data.
unclassified, and unclassified.
The implementation of the classification is based on laws, policies,
and executive directives that can be in conflict with each other.
Agencies do their best to resolve these conflicts by altering the
meaning of the standard classifications. Table 3.5 explains the
types of classifications used by government civilian and military
organizations.
TABLE 3.5
G O V E R N M E N T D ATA C L A S S I F I C AT I O N S FROM HIGHEST TO
LOWEST
Classification Description
Top Secret Disclosure of top secret data would cause severe damage to
national security.
Secret Disclosure of secret data would cause serious damage to
national security. This data is considered less sensitive than
data classified as top secret.
Confidential Confidential data is usually data that is exempt from disclo-
sure under laws such as the Freedom of Information Act but
is not classified as national security data.
Sensitive But SBU data is data that is not considered vital to national
Unclassified (SBU) security, but its disclosure would do some harm. Many
agencies classify data they collect from citizens as SBU. In
Canada, the SBU classification is referred to as protected
(A, B, C).
Criteria
After the classification scheme is identified, the organization must
create the criteria for setting the classification. No set guidelines exist
for setting the criteria, but some considerations are as follows:
á Who should be able to access or maintain the data?
á Which laws, regulations, directives, or liability might be
required in protecting the data?
á For government organizations, what would the effect on
national security be if the data were disclosed?
á For nongovernment organizations, what would the level of
damage be if the data was disclosed or corrupted?
á Where is the data to be stored?
á What is the value or usefulness of the data?
STEP BY STEP
3.2 Creating Data Classification Procedures
1. Set the criteria for classifying the data.
2. Determine the security controls that will be associated
with the classification.
3. Identify the data owner who will set the classification of
the data.
continues
05 078972801x CH03 10/21/02 3:41 PM Page 222
continued
4. Document any exceptions that might be required for the
security of this data.
5. Determine how the custody of the data can be transferred.
6. Create criteria for declassifying information.
7. Add this information to the security awareness and train-
ing programs so users can understand their responsibilities
in handling data at various classifications.
Termination
There will come a time when an employee or a contractor is no
longer associated with the organization. Regardless of whether the
termination is from voluntary or involuntary means, administrators
must have procedures in place to revoke access to the organization’s
resources. Keeping a user’s identification active might leave the net-
work open for attack, and just deleting the user’s information can
destroy potential information assets.
Regardless of the procedures used, they should consider immediate
revocation of access to the networks. Additionally, personnel policies
should be adjusted to ensure employees do not have the type of
access to the systems, network, and physical facilities to do damage.
Even for contractors whose contracts have expired or been terminat-
ed, it might be a good idea to have a manager or security guard
escort the former employee out of the building. During the process,
someone should collect the employee’s identification badges, keys,
and other access control devices; disconnect his phone; turn off his
email; lock his intranet account; and so on.
05 078972801x CH03 10/21/02 3:41 PM Page 225
Job Descriptions
Job descriptions are usually associated with requisitions and advertise-
ments used to fill jobs within the organization. In the information
security context, job descriptions define the roles and responsibilities
for each employee. Within those roles and responsibilities, procedures
are used to set the various access controls to ensure that the user can
get access only to the resources he is allowed to access.
During periodic audits and monitoring, a user who might be access-
ing information beyond his job description might be an indication
of a problem. For example, a contractor working on the develop-
ment of the new Web system should not be able to access account-
ing data. The danger to this is when the job descriptions are not
properly maintained. If a job description is informally changed with-
out changing the official job description, there can be problems try-
ing to enforce policies. It would help if there were a policy to change
job descriptions before changing access control lists.
Job Rotation
Job rotation is the concept of not having one person in one position
for a long period of time. The purpose is to prevent a single individ-
ual from having too much control. Allowing someone to have total
control over certain assets can result in the misuse of information,
the possible modification of data, and fraud. By enforcing job rota-
tion, one person might not have the time to build the control that
could place information assets at risk.
Another part of job rotation should be to require those working in
sensitive areas to take their vacations. By having some of the
employees leave the work place, others can step in and provide
another measure of oversight. Some companies, such as financial
organizations, require their employees to take their vacations during
the calendar or fiscal year.
05 078972801x CH03 10/21/02 3:41 PM Page 226
Change Control, Configuration ment is to know the present configuration of the system and it
Management, and Revision Control components. By knowing what is supposed to be in the system and
These are all similar phrases that network, administrators can identify whether security has been
describe the maintenance and track- violated and rogue programs have been installed on the system.
ing of changes to hardware and soft-
ware. One of the key security aspects of revision control and configuration
management is the capability to track changes. If problems occur,
administrators can examine the system in the context of the software
and other installed components to see what might have caused the
problem. The first step in creating these traces is to have a policy that
mandates a formal change control procedure for all hardware and soft-
ware systems. This policy should provide for written requests to perform
system changes that can include a review for security. Using the policy as
the base, the standards and procedures can be written to support the
processes that log every change to any information component.
NOTE
common topic of change control is what is used to track software Importance of Change Control
development. In this case, the change management system can be Change control on software systems
used to re-create software to a certain revision to roll back from can prevent unauthorized changes to
those products. Untested patches can
changes that might have caused security concerns or bugs.
introduce bugs and other vulnerabili-
Change control can be used to track vendor software changes. It can ties that can be exploited.
be considered inevitable that installed software will have bugs. Some
of these bugs can be an inconvenience in operations, whereas others
have security implications. It has been a source of debate among
security and systems administration professionals as to how to han-
dle fixing the software that has security problems. On one hand
there is the need to fix the problem immediately to prevent prob-
lems. However, installing patches, even from a vendor, can lead to
unpredicted results.
Large organizations have the capability to create test systems to test
these changes before installing them into the production environ-
ment. Smaller organizations, though, might not have this luxury and
might have to patch production systems. Whatever the size of your
organization, having policies and procedures in place to track these
changes will help you maintain the configuration of your software
systems.
CHAPTER SUMMARY
Understanding the management role of information security means
KEY TERMS
understanding how the information security process interfaces with
• Abstraction the rest of the organization. It is not enough to just set policies—
• Access control security is a process that must be molded into the business process
• Accountability to support its functions. Management must support these processes
• Annualized loss expectancy with commitment and training.
• Annualized rate of occurrence Understanding what is to be protected is an important beginning of
• Asset valuation the management process. A risk analysis is used to determine the
information assets that need to be protected and how they can be
• Audit
best protected. The risk analysis takes into consideration the costs of
• Authentication the assets to determine not only the countermeasures, but also
whether the assets are worth protecting.
05 078972801x CH03 10/21/02 3:41 PM Page 229
CHAPTER SUMMARY
Using this information, policies, guidelines, standards, and proce-
• Authorization
dures can be created to reach the security goals. Policies can be
described as the goals of the information security program. • Availability
Guidelines are suggestions, and standards are the specific security • Awareness training
mechanisms that can be used. Procedures use the guidelines and • Baselines
standards to implement the policies. • Change control
Access methods and protection mechanisms are used to manage the • Confidentiality
access and movement of data. A typical access method paradigm is • Configuration management
to set the roles and responsibilities for access to the data. Protection
mechanisms are used to compartmentalize access to data and • Countermeasures
processes. Layers are used to prevent unauthorized access to protect- • Cryptographic keys
ed resources and data, whereas abstraction and data hiding are used • Data classification
to protect data. • Data hiding
Knowing who your users are is as important as setting their access • Encryption
rights to information assets. Employment policies enforce back- • Exposure factor
ground checks during the hiring process to prevent hiring those who
• Guidelines
might be security risks. They can also set termination procedures to
prevent the terminated user from destroying systems and data out of • Identification
malice. • Incident response
Change control and configuration management can be used to pre- • Integrity
vent unauthorized changes to the network. Change control policies • Layering
can be used to maintain the configuration of all information assets • Nonrepudiation
to prevent them from being used to attack your organization.
• Password
The only way to really demonstrate management support of the • Policies
policies and procedures is to require and support security awareness
• Procedures
training. Through training, users come to understand their roles and
responsibilities in the security environment. Training is the only way • Responsibilities
for the users to understand their responsibilities. • Revision control
• Risk analysis
• Risk management
• Roles
• Single loss expectancy
• Tokens
05 078972801x CH03 10/21/02 3:41 PM Page 230
A P P LY Y O U R K N O W L E D G E
Exercises 2. What is the method for a system to know who is
accessing its resources?
3.1 Making Information Security 3. What is nonrepudiation?
Management Decisions
4. What is the purpose of performing a risk analysis?
A good way to understand the management responsi-
bilities of information security is to look at an aspect of 5. What are the categories of risks that are looked at
a risk assessment and determine the best course of during a risk analysis?
action. The following questions are designed to lead 6. How are information security procedures formed?
you down the decision path.
7. The Bell-LaPadula security model uses what
Estimated Time: 30–45 minutes mechanism to protect system resources?
1. Your organization uses a dial-in terminal service 8. What is the difference between synchronous and
to support customer service. The system consists asynchronous encryption technologies?
of 21 inbound telephone lines and 3 outgoing
9. What is the purpose of classifying data?
lines. When calculating the risk because of an
outage, the annualized loss expectancy (ALE) is 10. In the context of information security, why
$350,000. As a countermeasure, it has been would an organization do a background check
decided to look into installing another telephone and have an employee sign an employment agree-
circuit and modem bank. The cost for this new ment?
installation is estimated to be $350,000, but it
will lower the ALE to $25,000. Is this a cost-
effective countermeasure? Why?
Exam Questions
2. For the previous question, which policy state-
ment(s) should be written to support your deci- 1. How do you calculate the annualized loss
sion? expectancy of a particular risk?
A P P LY Y O U R K N O W L E D G E
C. Management’s statements outlining its 6. Who has the responsibility to determine the clas-
security goals sification level for information?
D. Risk management procedures A. Users
3. A security program is a balance of what? B. Management
A. Risks and countermeasures C. Data owners
B. Access controls and physical controls D. Security administrators
C. Firewalls and intrusion detection 7. Why should the team performing a risk analysis
be formed with representatives from all depart-
D. Technical and nontechnical roles
ments?
4. Which statement is true when considering the
A. To ensure everyone is involved.
information security objectives that the military
would use versus the objectives used for commer- B. To ensure that all the risk used in the analysis
cial systems? is as representative as possible.
A. A military system requires higher security C. The risk analysis should be performed by an
because the risks are greater. outside group and not by biased insiders.
B. Military systems base their controls on confi- D. To hold those accountable for causing the
dentiality, whereas commercial systems are risk.
based on availability and data integrity.
8. Which of the following is not a basic principle of
C. Only the military can make systems really authentication?
secure.
A. What the entity knows
D. Military systems base their controls on avail-
B. Where the entity is
ability and data integrity, whereas commercial
systems are based on confidentiality. C. Who the entity is
5. What does a risk analysis show management? D. What the entity may have
A. The amount of money that could be lost if 9. What is the purpose of designing a system using
security measures are not implemented the Bell-LaPadula model?
B. How much a countermeasure will cost A. To hide data from other layers
C. The cost benefit of implementing a counter- B. To manage data and methods as objects
measure C. To convert data to something that cannot be
D. The amount of money that can be saved if read
security is implemented D. To separate resources of a system into security
zones
05 078972801x CH03 10/21/02 3:41 PM Page 232
A P P LY Y O U R K N O W L E D G E
10. Managing an information security program is a 6. Procedures are formed from guidelines and stan-
matter of using the following principles except dards to implement the stated policies. For more
which one? information, see the “Policies, Standards,
Guidelines, and Procedures” section.
A. Accountability
7. The Bell-LaPadula model uses layering to sepa-
B. Integrity
rate resources into security zones. This was
C. Confidentiality discussed in the “Layering” section.
D. Availability 8. Synchronous encryption uses the same key to
encrypt and decrypt a message. Asynchronous, or
public key, encryption uses two keys: The public
key of the user who is to read the message is used
Answers to Review Questions to encrypt that message, and the private key is
1. Confidentiality, integrity, and accountability. For used by the recipient to decrypt the message.
more information, see the section “CIA: More information can be found in the
Information Security’s Fundamental Principles.” “Encryption” section.
2. Identification and authentication is the method 9. Classifying data is supposed to tell you how the
that associates that the object (user, process, and data is to be protected. The section “Classifying
so on) is the entity it claims to be. See the section Data” explains this further.
“Identification and Authentication” for more 10. Background checks and employee agreements are
information. tools used to prevent insider attacks. This was
3. Nonrepudiation is the ability to ensure that the discussed in the “Employment Policies and
originator of a communication or message is the Practices” section.
true sender by guaranteeing authenticity of its
digital signature. For more information, see the
section “Nonrepudiation.”
Answers to Exam Questions
4. The purpose of a risk analysis is to assess and
quantify damage to information assets and to 1. A. Answer A is the correct answer because the
help justify appropriate safeguards. This was calculation for the annualized loss expectancy
described in the section “Risk Management and (ALE) is the single loss expectancy (SLE) times
Analysis.” the annual rate of occurrence (ARO). Answers B
and D are not correct and do not calculate any-
5. The risk categories are damage resulting in physi- thing worthwhile for a risk analysis. Answer C
cal loss of an asset or the inability to access the calculates the SLE value. See the “Asset
asset, disclosure of critical information, and losses Valuation” section for more information.
that may be permanent or temporary. This was
discussed in the section “Risk Management and
Analysis.”
05 078972801x CH03 10/21/02 3:41 PM Page 233
A P P LY Y O U R K N O W L E D G E
2. C. Answer C is the correct answer because poli- 6. C. Answer A is wrong because the users are the
cies are used to describe how an organization ones for which the protections are being institut-
wants to protect information assets. Answer A is ed. Answers B and D are wrong because they do
wrong because guidelines are derived from the not have the custodial responsibility to under-
policies. Answer B is a procedure that would sup- stand how data should be accessed. See the
port a policy. Answer D is wrong because risk “Classifying Data” section for more information.
management is a component in creating the poli-
7. B. Answer A is a nice idea but not the reason to
cy and does not define them. See the “Policies,
include all departments. Answer C is wrong
Standards, Guidelines, and Procedures” section
because, even if outsiders were used, which was
for more information.
discussed as an option, the insiders would have to
3. D. Answer D is correct because, as the entire provide input into their departments’ risks.
chapter shows, security has both components, Answer D is an interesting concept, but not
including physical and personnel security. Answer everyone is involved in risks. See the “Risk
A is incorrect because it describes only the risk Analysis” section for more information.
analysis process. Answer B is incorrect because it
8. B. Answers A, C, and D are all principles of
is focused on two areas of a security program.
authentication. Identifying the location can be
Answer C is wrong because it concentrates only
helpful but is not one of the basic principles. See
on network controls.
“Identification and Authentication” section for
4. B. Answer A is wrong because the risks can be more information.
similar and even greater for some commercial sys-
9. D. Answer A is wrong because it is the purpose
tems. Answer C is wrong because there are plenty
of data hiding. Answer B is wrong because it is a
of commercial systems that are secure, and
principle of abstraction, and answer C is wrong
answer D is the reverse of the correct answer.
because it is the principle of encryption. See
See the “Classifying Data” section for more infor-
“Understanding Protection Mechanisms” section
mation.
for more information.
5. A. Answers B and C are wrong because they are
10. A. Answers B, C, and, D are the basic C.I.A.
parts of the risk analysis. Answer D is wrong
principles. See the “Defining Security Principles”
because it is what the analysis demonstrates,
section for more information.
which is only part of the story. See the “Risk
Analysis” section for more information.
05 078972801x CH03 10/21/02 3:41 PM Page 234
A P P LY Y O U R K N O W L E D G E
OBJECTIVES
OBJECTIVES OUTLINE
OUTLINE
S T U DY S T R AT E G I E S
. It is difficult for someone who has never written • Obtain and read the LeBlanc (Writing
a software program or participated in a develop- Secure Code) and Viega (Building Secure
ment project to understand the problems asso- Software) books on developing secure
ciated with developing secure programs. It is code. Although written for programmers,
obvious, however, that something more can be these books contain sufficient high-level
done to produce software that is free from the treatments of the subject and provide inter-
types of errors that seem to make it vulnerable esting and understandable resources for
to attack. It is easy to review the types of mali- you on software development practices that
cious software present in today’s computing can result in a better appreciation for the
environment—you’ve probably been in way too degree of difficulty encountered and the
close contact with it. It is much harder, however, beginning of a formulation for your own list
to go beyond this public view of software securi- of best practices.
ty. To study the development aspects of this • Visit the sites of major PC antivirus soft-
domain requires the ability to seek the details ware producers, and read the descriptions
behind the software interface to which you are of the top ten viruses.
exposed. Some useful approaches include • Visit the sites of security corporations and
• Study the software development methodolo- look for articles that speak to security flaws
gies presented in this chapter and review in software—that is, the why behind a vul-
the Web links. Many times these links nerability. Although sites that reveal the
expose you to code examples. Reading latest tools, exploits, and security software
these examples is somewhat like examining abound, search for those that talk about
documents written with many references to the actual code (such as
foreign language examples. It’s a little hard www.securityfocus.com, www.eeye.com, and
going; however, the authors often provide www.ntbugtraq). We all know that vulnerabili-
explanations of the code to help you under- ties exist. The idea is to begin to see why.
stand. • Organize your knowledge into the major
• If possible, access development documents objectives covered in this chapter, and
for past projects at your company. These review the terminology listed at the end of
documents can provide you with an appreci- the chapter. Then, review Appendix A,
ation for the level of complexity of the soft- “Glossary.”
ware development process.
06 078972801x CH04 10/21/02 3:38 PM Page 239
INTRODUCTION
On May 17, 2002, Carnegie Melon University, Microsoft, Raytheon
Co., and NASA announced the formation of the Sustainable
Computing Consortium. Their goal? Write the specifications for
software quality; write them so we can judge software against it;
write them so that consumers will have a way to judge software; and
write them so insurance companies can better judge which software
or product is more likely to be hacked and thus can vary their insur-
ance rates. Companies that use the less hackable products will get a
reduction in insurance rates. Interestingly enough, the Sustainable
Computing Consortium will also sport members who are lawyers,
public policy experts, economists, and software engineers. You see,
its not just the “nerds” who are responsible for computer security.
Whether you consider yourself on the geeky side of this domain or hesi-
tant to investigate it because of a predisposal to avoiding the complex
subject of computer programming, you can agree, I think, to that
premise. Learning about application development and the problems that
can make our systems more risky gives us an appreciation for the com-
plexity of the process and the ability to deal with excuses that point to
that complexity as the reason more secure software cannot be written.
06 078972801x CH04 10/21/02 3:38 PM Page 240
No one can guarantee that better, more secure software will be the
result of your studies in these areas, but I can guarantee that your
lack of knowledge of the problems and best practices will prevent
your participation in what must be universal efforts to improve the
quality, reliability, and security of software applications.
This chapter will help you in your studies by talking about software
applications and issues, the common types of attacks made on soft-
ware, malicious code, system development controls, and coding
practices that can reduce system vulnerabilities.
á Knowledge-based systems
á Web services and other examples of edge computing
Nondistributed Systems
To penetrate these systems and make them run amok meant pene-
tration of physical barriers—guards, gates, door locks, and so on. Or
subversion was used—hiring on, learning the system, and then
removing information or sabotaging the system. Or, the attacker
could possibly coerce an employee to run a report, enter invalid
data, or perform some other activity.
As these systems grew legs—that is, as terminals were placed in offices
and directly cabled into the data center—new possibilities occurred.
The terminals, “dumb” as they were, brought information to the peo-
ple who used it. Information could be retrieved in minutes, some-
times seconds, and new information could be entered immediately.
Although no software ran on the terminals, it didn’t much seem to
matter at first. Reports were still produced by the ton, and operators
were still needed to punch in information from distributed locations.
06 078972801x CH04 10/21/02 3:38 PM Page 242
How many people would ever hear that there was a problem that was
created by you? When mainframes and minis go down, most employ-
ees are aware only that the computer is down, not why. Contrast this
to the situation in which thousands of PC systems fail due to the lat-
est virus or worm.
PCs soon became easy victims to multiple types of software-based
attacks. For these attacks to begin, the attack software had to reach
the system. Like sharing sex partners, sharing data became a danger-
ous activity. Many malicious software programs were able to infect
systems because infected files were transported between systems via
floppy disks. The same types of program are still a threat in nondis-
tributed and distributed environments. These programs fall into the
following categories:
á Viruses—Programs loaded onto a computer without the per-
mission of its owner and then run without permission. Several
types of viruses exist, including polymorphic viruses (ones that
change their own code to evade detection), boot sector viruses
(those that infect the boot sector), multipartite viruses (which
infect boot sectors, files, and master boot records), and macro
viruses (which infect desktop application software such as
Word or Excel). Often the term virus is used as a generic term
and encompasses worms, Trojans, logic bombs, and other
types of malware.
NOTE
Distributed Systems
As communications techniques improved and were reduced in cost,
remote systems were linked to the data center via direct landline,
microwave, or courier. (Couriers carried data in the form of punch
cards, or other early data collection products, from the remote sys-
tems to data entry at the corporate headquarters and returned
reports.) These were the first distributed systems. You should recog-
nize the difference between distributed systems and decentralized
systems. Here are some helpful ways to distinguish between them:
á Centralized—All computing takes place in one place. The old
mainframe/data center approach is one example; another is the
use of a mini-computer or mini-computers located in one
place and held under the central control of one department. A
single PC, used to support recordkeeping or other computing
at a small company, can also be considered as centralized com-
puting.
á Centrally controlled computing—In this scenario, comput-
ers can exist in a widely distributed fashion both within head-
quarters and at remote offices. They are, however, configured,
maintained, and controlled by a central authority.
á Decentralized—Computing facilities exist throughout the
company. They might or might not be linked with each other.
á Distributed—Computers are everywhere, and so is the process
of processing. Distributed computing does not preclude cen-
tralized control.
Managing Malware
Because malware exists in so many forms that use multiple attack
vectors, no one solution will prevent its spread in a network.
Cooperation by many companies is necessary to reduce its threat to
the global community. Some basic, good practices are recorded in
Step By Step 4.1.
STEP BY STEP
4.1 Protecting Systems from Malware
1. Have a malware policy that specifies the use of antivirus
products and provides for regular maintenance. Ensure its
approval and support by top management.
2. Make virus protection software an absolute must for every
server, desktop, and PDA in your network.
3. Make updating your virus protection products a priority
on all systems.
4. Install and properly configure special mail server virus
protection.
5. Configure mail server antivirus programs to block exe-
cutable attachments.
continues
06 078972801x CH04 10/21/02 3:38 PM Page 248
continued
6. Keep all systems patched. Many malware programs take
advantage of known vulnerabilities in software.
7. Reduce attack vectors by scanning floppy disks and other
removable media before use.
8. Reduce attack vectors by disallowing ActiveX or Java
script download where possible.
9. Keep up-to-date on trends and actual virus threats. Good
practices can avoid much pain, and forewarning can also
help.
10. Use recommended steps to clean infected systems. In
some cases a complete rebuild is necessary to ensure no
back doors are left behind.
Data Models
Databases are classified by the data model they use. Each model
offers unique features and issues. The most common database model
type today is relational, but other types of databases exist. Following
are the data models that are commonly used:
á Relational (DB2, Oracle, SQL Server)—Data is stored in
tables that consist of rows (like records in a regular file) and
columns (like fields). Relationships are formed between tables
based on a selected primary key. Figure 4.1 shows tables from
an accounts payable database. The customer master table is
related to the order table via the customer account number.
The customer account number is the primary key. The invoice
table includes a column that lists the customer account table.
A query of the tables could easily discover the invoices related
to a particular customer, as shown in Figure 4.2 for the cus-
tomer Peterson’s. Because Peterson’s customer number is
12347, a search of the invoice table reveals two invoices.
FIGURE 4.1
Customer# Name Address City State
Defining the relationship between the customer
12345 ABC, Inc. 544 Smith St. NYC NY and the order database.
Customer
12346 Johnson Tile 97 Hit St. Atlanta GA table
Primary
key Invoice# Customer# Product ID Qty Price
Database Issues
The DBMS is designed with integrity, recovery, access control, and
authorization mechanisms built in. Several of these controls must be
configured or utilized. Access to the database must be granted, and
granular authorizations to use the data might be possible. Backups
must be scheduled and managed, and care must be taken to ensure
appropriate configuration so as to not subvert any security features.
Many of the security issues revolve around the database administra-
tors’ management. Administrators must understand the security fea-
tures and functions of the database, be aware of security issues, and
take steps to maintain them. A number of things can go wrong; here
are the issues to be aware of
á Default administrative passwords—In older versions of SQL
Server, the default SQL administrator password was blank.
Many commercial products that use this database as a back
end not only leave the password blank, but also will not run if
it is set to anything else. Although documentation advises set-
ting a strong system administrator (SA) password, many
administrators do not. In May 2002, a new worm called the
sqlsnake began circulating on the Internet. It took advantage
of this vulnerability to add administrative accounts to the
infected machine and send password hashes to an external
mailbox.
06 078972801x CH04 10/21/02 3:38 PM Page 253
Yet, because the users have no direct access to data, they cannot
compose a query that might expose information they should not
have access to. Figure 4.3 illustrates this. In the figure, the full
employee table is displayed. A box laid over the table shows the
columns available from a view that has been created. Notice that
the salary field is not part of the view. By providing access to the
view, the database administrator has solved a privacy issue. Clerks
can be given access through the view to basic employee informa-
tion, but not to salary data.
NOTE
Data Mining This analysis technique
in the company and what they pay. If I know my boss’s title, I
requires specialized software and
can deduce what she earns. highly trained analysts. It looks for
patterns and trends, anomalous data
or activity, organized activity, and even
Special Considerations for Data Warehouses those activities that do not follow
and Data Marts authorized procedures.
Locality of Reference A computer an extension for virtual storage. Instead of placing data back in a
science dictum recognizes that for permanent location on the hard disk, data is temporarily placed in a
most programs, only small amounts paging file and can more rapidly be located and moved back to
of data and code are used at any one
RAM as necessary. You should be aware that this file might not be
time and that often the same pieces
cleared at shutdown. Although it is protected from direct access by
are used repeatedly. This is why tem-
anyone other than the operating system, while the computer is oper-
porary memory storage works so effi-
ciently: The same data and code are ational, it is logically represented as a file on the disk. Should an
used repeatedly. You can see this attacker gain physical access to the computer, he could boot it to
principle in a different arena. More another OS and make a copy of the paging file. He then could ana-
people order vanilla ice cream versus lyze it and potentially find sensitive data. In some operating systems,
a banana split. Not only is more vanil- you can schedule the paging file for clearing at shutdown.
la ice cream ordered by the store, but
The following lists the storage devices and the types of memory they
spare containers of vanilla are kept at
the front of the freezer for easier represent:
access. á Credit card memory—A special, proprietary, DRAM memory
module that can be used by placing it in a slot on a notebook
computer.
á PCMCIA Card—A nonproprietary DRAM module that
works with notebook computers designed to the standard.
á Flash RAM—A small amount of refreshable memory used by
cars, TV sets, VCRs, and so on to remember configuration
data. Even with the power turned off, the chip can access a
small amount of power to keep itself refreshed. It is often used
on computers to store hard disk information.
á Real-time clock (RTC)—An onboard chip on PCs that keeps
time. The 64-bit of RAM also stores floppy and hard drive
configuration information needed during boot. This RAM is
kept alive by a small battery, called the CMOS battery, even
when the computer is turned off.
06 078972801x CH04 10/21/02 3:38 PM Page 259
FIGURE 4.5
Creating SANS zones allows the maintenance
of access rights when new SANS are added
and therefore can assist in securing data.
Knowledge-Based Systems
NOTE
Seeing Is Believing Sometimes it’s
Knowledge-based systems, often called expert systems, attempt to par- hard to translate a definition on paper
allel the thought process and deduction efforts that transpire when into something the mind can relate to.
an expert searches for the answer to a problem. In one model, the Working knowledge-based systems
expert examines known data and asks a series of questions whose are present in the real world; seeing
answers lead to more questions until the answer is found. the underlying processing that makes
them work is often difficult. You can
For example, take the common workplace question, “Where should visit http://www.emsl.pnl.gov:2080/
we go to lunch today?” As the local expert, you know many places proj/neuron/kbs/demos.html, which
that serve lunch. You might begin the process by asking what type of provides links to research projects
food the others want to eat. If Sally says, “Anywhere but nowhere that demonstrate knowledge-based
expensive,” you immediately reject your favorite restaurant, Chez systems, often with information, flash-
Topos. If a consensus is finally reached that includes Mexican or ing lights, or other devices that help
you understand the event firing or
Italian, you react by filtering your list for only Mexican or Italian
other processing.
restaurants. Next, you ask about transportation and find out that no
one drove today; thus, you reduce the list to the only restaurant in Another site of interest is http://
walking distance. www.expertise2go.com/webesie/
tutorials/ESIntro/, which demos an
Expert systems use a similar technique to solve problems. They use a expert system and introduces termi-
set of rules against known data to infer new information. nology along the way.
NOTE
the cluster. But even with the cluster, the computers are dedicated to Can the Holodeck Be on the
the tasks assigned to them. Horizon? On the starship Enterprise,
an empty room becomes whatever
Enter grid computing, a structure in which excess processing power is you want it to be. Simulated people
made accessible for new tasks. This harnessing of idle time can be and complete worlds exist where par-
accomplished within an organization or work across boundaries con- ticipants can enjoy a vacation, solve a
necting disparate machines across the Internet. Envision, if you will, mystery, or picnic with a long lost
a future in which you can sell the excess capacity of your computers loved one. When Purdue University
much like power companies broker excess kilowatts. Grid computing and Indiana University combine their
also means the capability of software to aggregate other computer supercomputers, they’ll be able to
simulate the actions of real people, in
resources, such as information. In some ways, Microsoft’s .NET is a
hopes of solving real-world problems.
computing grid that distributes processing over multiple computers.
Although no plans for a Star Trek-style
An interesting article on grid computing is “The Anatomy of the holodeck for entertainment are
Grid, Enabling Scalable Virtual Organizations,” written by Ian revealed in their publicly listed project
Foster, Carl Kessleman, and Steven Teucke and published at the scope (and even this megapowered
Globus Web site (http://www.globus.org/research/papers/ grid probably is not capable of putting
bodies and worlds together for real
anatomy.pdf).
people to walk through) can such
You can participate in a grid computing project; in fact, you might designs be far behind? And if so, who
inadvertently be doing so. Some “free” services or downloads come would create them? A new report,
with software EULAs (licensing agreements) that authorize the par- “Global Grid Computing Report 2002:
ent company to use excess bandwidth or processing power in your Technology and Market Opportunity
network! Grid computing projects also exist, such as SETI Assessment,” by Grid Technology
Partners (www.gridpartners.com)
(http://setiathome.ssl.berkeley.edu/), which seeks to harness
gives an example of how grid
excess cycles on home computers to facilitate extraterrestrial
computing can bring more power to
research. companies: “A company with 600 grid-
enabled desktop PCs can utilize all
of them together as one computer
Web Services platform—suddenly providing it with
What do you use the Internet for? Do you use it to send and receive enough computing capacity to go
email? Bid at an auction? Purchase books, clothes, airplane tickets, head to head with the world’s 49th
or other things? Research information to help you in your work? largest supercomputer” (http://
Many services are available on the Internet. Some of them are avail- itmanagement.earthweb.com/it_res/
able to the public, and others are open only to registered users or article/0,,3031_1033451,00.html).
represent private transactions between divisions of a company or
between companies. But these services, though useful, are not neces-
sarily “Web services.” One definition of Web services is that they are
small, reusable programs that can be accessed from otherwise uncon-
nected sources. Web services can be written in XML and used to
communicate across the Internet or an organization’s intranet.
06 078972801x CH04 10/21/02 3:38 PM Page 264
NOTE
entirely independent of every other subprogram. Processing occurs Reality Check Web services tool
when these subprocesses are strung together like so many scenes kits for Microsoft Office XP let users
from good movies. In short, we’ve moved to collage computing. pull data into Excel spreadsheets
from Web sites. To do so, the Web
Here’s an example: Today, if I want to schedule a flight to Seattle, I sites must host Web services. The
can book it online either through an airline’s site or at one of the tool kits help develop them.
aggregation sites, such as Expedia or Orbitz. When I do so, my Companies that have used the tool kit
request for available flights is processed entirely by the site I’m con- include FedEx, Jet Blue Airways, and
nected to. It might access other sites to compile information and General Motors. Maybe my previous
present it to me, and it might recontact those sites to actually book example of the user aggregating the
data is not so far behind. To find out
my flight after I’ve purchased it from the site. In short, it acts as a
more about Microsoft Web services,
travel agent, gathering and then feeding me information I request
visit the following: http://
and making arrangements for me after I decide. It might even ask www.microsoft.com/net/defined/
whether I also need hotel or car rental services, but it is the Web site whatis.asp.
which is the aggregator.
In the future, Web services at each airline will advertise available
flights and rates. At hotels and car rental agencies they will do like-
wise for their services. Web services at the aggregator, instead of
complex applications, will work with the Web services of the other
companies to obtain data that they then merely feed into their pro-
prietary formats. There might even be a Web service resident on
your computer that can independently visit multiple airlines and
compile composite information.
In the past, much work on the part of the aggregator and the airline
was necessary to build communication links and process between
them. With Web services, the airline could build the Web service
once and any aggregator running Web services (perhaps a plug-in to
my browser) could access them.
Web services can also solve the problem of interim information.
NOTE
Because my travel will be on an airline and my contract is with an A Thousand Points of Light What
aggregator, what happens when the airline adjusts its schedule? president said that? (It was George
Bush.) He was speaking of creating a
Currently, the airline notifies the aggregator who, hopefully, notifies
nurturing climate for education and
me. The aggregator does not want me to be directly contacted by
envisioning new efforts at schools as
the airline—it might lose me as a customer. With Web services, my shining points that spread across the
resident Web service might, with information obtained from the ini- country. If you close your eyes, can
tial transaction, periodically query the airline Web service for you see Web services as small lights
updates. When an update is received, some form of alert might be spread across the Internet?
communicated to me (possibly on my cell phone or PDA).
06 078972801x CH04 10/21/02 3:38 PM Page 266
ATTACKING SOFTWARE
Discuss the types of attacks made on software
vulnerabilities.
To write or select good software and to protect it from compromise,
you must understand how software is developed, the controls that
are available during its production, and the types of attacks that are
directed at software. This section enumerates on the latter.
Many attacks on software are based on flaws, whereas others are
directed at the inherent weaknesses in the components, protocols,
and processes from which software is built. Still others work by sub-
verting the process and placing malicious code within an otherwise
innocuous application. The following sections discuss the typical
attack types that are often utilized.
For example, the attacker might crash the server by overflowing the
buffer of some data entry point. Much code is written that does not
check the length of data entered by the user. When long strings are
sent, instead of the expected information, a system crash or worse
can be the result. For more information, see the section “Eliminating
Buffer Overflows.”
Another DoS, called a smurf attack, is the result of sending a spoofed
source address in an ICMP ping packet to the broadcast address, thus
causing all computers on the network to send a response to the victim
(at the spoofed source address). The ICMP ping command seeks to
see whether a computer can be located on the network. When it is
used, the source address—that is, the IP address of the computer that
is used to issue the command—is automatically entered into the pack-
et that traverses the network. The destination address is the IP address
of the computer that is sought. If that computer is on the network
and receives the request, it returns an answer to the source address.
However, an attacker might craft a packet and place the IP address of
his victim as the source address. If this packet is sent as a broadcast
(meaning, it would be received by every computer on the network), all
computers would answer by sending a response to the victim. This
might overwhelm the victim, hence causing the DoS. Figure 4.6 illus-
trates the problem. The solution is software that prevents such a prob-
lem and indeed, most modern TCP/IP stacks are so written. This
attack is one that can be successful if there is a software flaw.
FIGURE 4.6
The classic smurf attack.
yes
yes
yes
Victim’s address
yes
192.168.5.15
yes
yes
yes
yes
Attacker’s address
192.168.5.2
06 078972801x CH04 10/21/02 3:38 PM Page 269
FIGURE 4.7
Distributed denial-of-service attack. In the dia-
gram, the attacker is controlling multiple PCs or
zombies to attack another PC, the victim.
attacker victim
NOTE
Flooding In mid-2002 a new worm
began to move across the Internet. It
sought to take advantage of a soft-
ware flaw in the Apache Web server
for FreeBSD in order to make the
server a zombie. You’re correct if you
equate that with the mindless crea-
tures under the control of the evil
monster in some twentieth-century
horror flick. Computer zombies are
under the control of a master. The
Protection against many forms of DoS consists of the application of worm was trying to create its own sta-
all current patches and service packs. For other types of DoS, the ble of compromised machines, a
solution will only come when all software is written to prevent flooding net, that it could then use in
buffer overflows. Still other attacks cannot be prevented except by a coordinated attack against some
blocking traffic from the attacker. DDoS attacks will be possible as new victim.
long as there are vulnerable machines on the Internet.
Spoofing
There are many types of spoofing attacks and many attacks use
some form of spoofing to accomplish their goal. We have already
discussed one, the smurf attack, in which an IP address is spoofed.
06 078972801x CH04 10/21/02 3:38 PM Page 270
Miscellaneous Attacks
Software-based vulnerabilities include intentional misrepresentations,
accidental inclusions, and poor design. Examples of each of these are
as follows:
á Hidden code—Code can be inserted within an approved soft-
ware program. In poorly managed code, where code review is
not done, this can be easily accomplished by a member of the
team. Otherwise, special techniques might be used. One tech-
nique uses the NT File System (NTFS) or other file systems
that use file streams. This is a little known capability of NTFS
and it quite easily could be used to hide code. Although it is
easy to view the code if you know it is there, finding which
files might be using file streams is not an easy task. Another
technique would be to develop and use a virus to hide code
within existing code. Viruses typically attach themselves to
existing code so that they can hide. Vet, or approve as trust-
worthy, application development teams and audit their work.
Scan code for the use of file streams, viruses, and such.
06 078972801x CH04 10/21/02 3:38 PM Page 271
Network Software
A server can be vulnerable due to flaws in the software or it can be at
risk simply due to the role it plays. Likewise, the networking software
and hardware that connects the computers on your network might
also put it as risk. Examples of this are plentiful; here are a few:
á In a Windows network with browsing enabled, computers
show up in the browsing window. When clicked on, those
computers reveal shares, or entry points, to the hard drives.
06 078972801x CH04 10/21/02 3:38 PM Page 274
Definitions abound in this area, and not all of them are agreed upon.
For our purposes, however, we’ll state the more common explana-
tions and then explore approaches for dealing with them.
IMPLEMENTING SYSTEM
DEVELOPMENT CONTROLS
Discuss system development controls.
System development controls can be beneficial in two ways: in the
use of a strong systems development lifecycle, and in following
sound best practices.
06 078972801x CH04 10/21/02 3:38 PM Page 278
Waterfall
The classical waterfall approach to software development has been
with us for a very long time. Each step from conceptual develop-
ment to maintenance flows from the top down. Figure 4.8 illustrates
the model. Historically, the development process was described as a
logical progression of steps. One phase was completed, and then the
next phase initiated. Meanwhile, down in the trenches, realists fol-
lowed the steps, but were not afraid to return to an earlier phase if it
meant a better product in the end.
FIGURE 4.8
Definition
The waterfall methodology got its name from
the way each phase seems to flow into the Systems Analysis
next.
Design
Design Review
Construction
Code Review
System Test
Certification
Implementation
Maintenance
Disposal
06 078972801x CH04 10/21/02 3:38 PM Page 279
Plan
Test
Benchmark
STEP BY STEP
4.2 Following the Lifecycle Model
1. Develop a preliminary design.
2. Develop a prototype from the design.
3. Develop the next prototype.
4. Evaluate.
5. Define further requirements.
6. Plan and design another prototype.
7. Construct and test this prototype.
8. Repeat steps 3–7 until the customer is satisfied that the
prototype meets the requirements.
9. Construct the system.
10. Thoroughly test the final system.
In essence, four operations are repeated over and over until the right
design is created, which is then put into production. The four opera-
tions are
á Planning/review—Determine the objectives of the system to
be developed.
á Risk analysis, prototype—First, identify all alternative solu-
tions and perform a risk analysis. Resolve the risks and create
the prototype.
á Engineering—Develop and verify the product requirements.
Validate the design. Do a detailed design and validate it. Code
a test product.
á Plan the next phase—Review for customer satisfaction.
Perform requirements planning, development planning, and
integration planning, and create a test plan.
Does this sound something like the spiral development model? The
differences here are that the requirements and change review are time-
boxed. That is, a limited time is allotted to each phase. As the end of
this time approaches, secondary features are dropped to stay on sched-
ule. The repetitive process might function over a day or over a few
weeks with the prototype evolving into the operational product. The
total time for development might be six months or less. In contrast,
the spiral model is not time boxed. It might extend over long periods,
and the product is developed with the final prototype as a guide.
The RAD process, if not carefully controlled, can degenerate into
quick-and-dirty application development (QADAD). Even its pro-
ponents agree that it should not be used to develop an operating
system or other product where the need for quality is high, for
games where the demand for performance is high, or for any
product that is mission- or life-critical.
A more detailed description of RAD can be found at http://
csweb.cs.bgsu.edu/maner/domains/RAD.htm#2.
Best Practices
Several systems development practices exert control over the process.
These practices can be followed no matter the software development
model used.
The first principal concern is the partitioning of development from
production. All development work should be done on test systems,
not on production systems. Even minor fixes should be done in the
development environment, and thoroughly tested before putting the
new code into production. This practice minimizes several risks.
Because, in some cases, developers must have near-total control over
their machines, it is unwise to let these machines be production
machines. To allow them administrative control over production
machines would be to violate the principle of separation of duties
and least privilege. These principles are useful as they avoid potential
fraudulent misuse of systems as well as accidental damage, or unau-
thorized access to sensitive data and processes.
The second promotes documentation of code and of code changes.
Good program documentation makes it easier to maintain, and to
bring new individuals up to speed faster on the systems. Although
false documentation could lead reviewers astray, validated documen-
tation assists reviewers, troubleshooters, and future generations of
programmers that must fix or replace code.
The third requires backup of development as well as production
code. Many systems are usually in place to back up data and pro-
grams to assure business continuity in the face of any disaster. Few
have considered the devastating effect of losing source code and code
in development.
Fourth, continuous training is essential in a world where rapidly
changing and advancing standards, practices, hardware, and method-
ology means skills can be rapidly outdated.
Finally, the adoption of coding standards, systems development
models, practices, and methodologies assists the programming team
in producing quality code that is reliable and secure.
06 078972801x CH04 10/21/02 3:38 PM Page 286
Structured Programming
The structured programming methodology was developed in response
to the lack of methodology and structure in early development efforts.
06 078972801x CH04 10/21/02 3:38 PM Page 287
NOTE
was executed in sequence until an instruction required a move or Spaghetti Code Some programmers
jump to another line somewhere else in the code. Execution contin- still use this method of coding today.
ued at that point until another branch moved execution elsewhere and Many of them are self-taught. It is just
so on and so on. This type of programming is very difficult to main- as hard to maintain their code today
as it was in the past.
tain, makes it difficult to understand what is actually going on, and it
is difficult to determine the impact of any changes you might make. It
earned for itself the name spaghetti code, because of the tangled mess it
appears to be. You can still find some of these programs today. I hope
you do not have to deal with them. Often these projects had no orga-
nization at all. Some of this was due to the early languages and to the
lack of training in methodology. Early programmers were often
trained on the job, and the emphasis was on syntax, or how to write
code that would work, not on making it neat or maintainable.
In contrast, structured programming requires the programmer to be
aware of the flow and control of the program.
Structured programming is based on several principles:
á Modularity
á Top-down design
á Limited control structures
á Limited scope of variables
How do you solve large problems? Most people have an easier time
solving large problems if they can break them down into small man-
ageable chunks. This is the heart of structured programming.
Instead of composing one large body of code, the work that the pro-
gram needs to do is broken down into smaller parts that are them-
selves broken down into still smaller parts and so forth. These parts
are called modules. Modules are small functional pieces of code that
perform a function. Logically you might compare the process to
writing a book. You start with a top-level outline which states the
topics that will be covered, and then you break each topic down a
couple of more levels. The outline can then become the structure
within which the words are written that tell the story. Each topic
becomes a chapter and its inner levels become subtopics.
Just as the book outline proceeds from a high-level outline to
the details, a structured program is based on a top-down design.
This means a hierarchy of modules branch off a main module.
06 078972801x CH04 10/21/02 3:38 PM Page 288
The main module is the place where execution of code begins. Each
module can also call other modules, but the program eventually
returns to the main module either to traverse another path through
the program, or to end. If you read a novel, you probably read from
one end to the other, but when you use a reference book, you proba-
bly look up a topic in the table of contents, and jump to the page or
section you want.
Main Module
Figure 4.11 shows a tiny example of how this might work. You can
Menu: clearly see the main module and the four choices for program direc-
1
2
tion. The four modules are also represented; module 1 can also call
3 module 5. The flow of the program might be as illustrated by the
4
arrows which trace the path from the main module to module 1, to
Module 1 module 5, then back to 1 and back to the main module. This is not
If true call 5 the only path of execution. It is merely an example of how the activ-
Module 2 ity might flow. In the real world few programs would be this simple;
Module 3
indeed they might have hundreds if not thousands of additional
modules.
Module 4
Module 5
Although some structured programming languages enable the simple
branching statements, structured programming methodology requires
FIGURE 4.11 more limited control structures. An instruction might require control
Structured programming promotes the use of to go to another statement—that is, the beginning of another module.
modules. However, it requires that when that module has completed, control be
returned to the calling module. Another example of a control structure
used in structured programming is a loop. A loop iterates through a
series of instructions and terminates when some condition is met.
Perhaps it will continue, adding one to a base number until some pre-
sent total is matched. Perhaps, it will continue until the user selects
the Exit button on the screen. Or perhaps, it continues until the end
of a file is found. In the latter case, imagine you are reading a list of
names. Each time you read a name, you write it down on another
piece of paper. Your loop would look something like Step By Step 4.3.
STEP BY STEP
4.3 An Example of a Simple Loop
1. Read the name.
2. Write it down.
06 078972801x CH04 10/21/02 3:38 PM Page 289
Object-Oriented Programming
When I drive a car I don’t think about the internals of the combus-
tion engine. I don’t look under the hood before I open the door and
get in. I just don’t care. And I suspect many of you don’t either.
What we want is safe, reliable transportation. (Some of you might
be looking for other things but for most of us, it’s not the internal
workings of the car that matter, but what we and others see on the
outside.)
To us then, it is what we can do with the car that matters, not the
intimate details of how it works. This is also the essence of object-
oriented programming. In an object-oriented program, objects,
which are structures that contain data and code, are the building
blocks. Just as we make a car take us where we want to go by using
the steering wheel, and make it move by pressing an accelerator
pedal, objects have an interface by which they are manipulated. Let’s
look at a simple example.
06 078972801x CH04 10/21/02 3:39 PM Page 290
Pseudo Code Add Two Numbers Our problem, again, is the addition of two numbers. In the struc-
tured program, we created a module. Three data variables were used
1. declare number1, number2, result as integers
2. main by the module, one for each number and one to return the answer.
2.1 number2 = readnumber Inside our module we write the code to do the math. It’s easy to
2.2 number1 = readnumber
2.3 result = add(number1, number2) trace the execution path by looking at the code we have written and
3. add (number1, number2)
3.1 declare sum as integer
following it along. Figure 4.12 shows simplified pseudocode for such
3.2 sum = number1 + number2 a program.
3.3 return sum
To use the object-oriented paradigm, we first write a class. A class is
FIGURE 4.12
simply an abstraction, a description of an object. When we actually
Pseudo code for adding two numbers.
want to use the code written in the class, we create an object. Figure
4.13 is the pseudocode for our class. As you can see it contains three
Class Math variables, and its own module, called a method, Add. The code for
Variables: the Add method simply adds the two numbers it’s given and returns
number1, number2, result, integers the answer. Now, to perform the calculation, we instantiate, or create
Methods:
Result = add (number1, number2) the object, and then send it a message—or call its method. Figure
sum integer 4.14 is the pseudocode for this operation.
sum = number1 + number2
return sum
You might have noticed some similarities here. There are still three
FIGURE 4.13 variables involved and the code to add them looks the same. There
Object-oriented programming: defining the are differences too; the code that actually did the work is hidden
class. from the main program. In structured programming, a module is
called to perform a function. In object-oriented programming, an
Add two numbers object is sent a message (a command) to perform a function. The
function and the data variables are encapsulated within the object.
Num1, num2, sum1 = int
get(num1, num2) In the structured programming example, the module definition is
Calc = new(math) combined with the instructions which call it. In the object-oriented
Sum1 = calc.add(num1, num2)
example, the actual code to add the numbers is further hidden in a
FIGURE 4.14 separate construct.
Object-oriented programming: adding two The object-oriented concept here is to keep the details hidden. In
numbers.
the real world, programs are much more complex. Objects, like the
internal combustion engine of my car, don’t need to expose their
inner workings in order to be used. We can encapsulate them and
only work with them through their exposed interface. For my car,
that’s a key in the ignition, a steering wheel, and so forth. For the
program, it means public methods.
There are other object-oriented concepts as well. Classes, those
building blocks of object-oriented programming, can inherit from
other classes. Inheritance, means that some of the functionality of
child classes can come from the parent class. Just as traits such as
blue eyes or musical ability are inherited, functionality can be too.
06 078972801x CH04 10/21/02 3:39 PM Page 291
NOTE
0–10. Later, you worked with larger numbers, and then fractions and Want More? For those of you with
decimal numbers. Although the operation was similar, you had to do some programming background, an
the addition in a slightly different way. Today, you hardly think of the excellent introduction to object-oriented
programming is Peter Mueller’s An
differences. If you need to add two numbers you simply do so. Your
Introduction to Object-Oriented
ability to add is polymorphic, that is, you can use the word add for
Programming Using C++, which you
many purposes. Our simple class, described above, might have been can find at http://www.zib.de/
written to accommodate all these types of addition. Its inner workings Visual/people/mueller/Course/
on how it does this are not relevant to our use of the class. Any cor- Tutorial/tutorial.html.
rectly structured message add function, whether it includes integers, Other good OO (object-oriented)
decimal numbers, or something else, will get us the correct result. resources are listed at the end of this
(That something else could even be two words. To add two words chapter.
might mean we obtain their concatenation. So if we enter the two
words red and hat, we obtain the result redhat. How this is accom-
plished is defined by the inner workings, but we don’t need to know
how the addition is accomplished; we simply need to have a descrip-
tion that tells us this class can be used to add the following types of
items. The ability to have one method available for many uses repre-
sents the polymorphic characteristic of object-oriented languages.
If the code does not check to ensure that only two characters
are entered, the result is a buffer overflow. Some buffer over-
flows are relatively harmless; they merely crash the program
(obviously I jest). Others can give an attacker the opportunity
to execute further attack code, eventually giving them root
access on the system. Buffer overflows can be eliminated by
coding practices which test data entry and by programs that
search code for potential buffer-overrun problems.
index numbers
á Prevent array indexing errors—An array is an ordered data
structure used in programming to hold several pieces of data. It
0 4 can be an array of characters, numbers, or other types of data.
1 7 You can think of an array like the mailboxes at a post office.
2 10 Each box has a number and mail is sorted into the boxes
3 3 according to these numbers. Because the boxes are numbered
4 8
and arranged in order, it is easy to locate any box. Likewise,
5 22
array elements can be located and data stored or retrieved from
6 25
7 23
any position by referencing its number or index. Figure 4.15
8 67
illustrates an array of numbers. To print the number 22, the
9 45 programmer would reference the array name and the index 5.
Software errors occur when the programmer makes a mistake in
FIGURE 4.15 referencing elements of the array. Different programming lan-
An array is a structure that holds data in order. guages number the elements in the array differently; some start
The data can be referenced in a software pro- the index at 0 and others at 1. Thus, for an array of five ele-
gram by indicating the position it fills in the
ments, the last element might have an index of 4 or 5 and the
array.
first element might have an index of 0 or of 1. Improper refer-
encing can cause the program to “fall off ” the end of the array
and produce unpredictable results. Proper coding techniques
prevent errors because these types of errors are tested for, and
bounds checking, or making sure there are no references to
nonexistent array members, is done within the program.
á Utilizing good access control—Access-control techniques are
available to the programmer. The operating systems for which
they code offer granularity in protecting files, printers, and other
types of data. When the programmer ignores or abuses these
capabilities, he does not allow the administrator to enforce
them. In both Unix and Windows NT and above, file access
controls can be set in the file system. They can be set adminis-
tratively either through a GUI or through commands, but they
can also be set programmatically. The overall design of the pro-
ject should specify the minimal access necessary for code and
user and the programmer should follow these specifications.
06 078972801x CH04 10/21/02 3:39 PM Page 295
What good, for example, are steel barred doors, if windows are
easy to open, and glass to break? Why attack the password file
hoping to discover the administrator’s password when a buffer
overrun exploit can gain the attacker control over the system?
Time spent looking for and securing the weak links is well spent.
Attackers many times can be rebuffed when the known weak links
are secured.
Good design and coding practices can mean better, more reliable
and more secure software. The results are quantifiable. Where they
are implemented, the number of bugs is reduced and customer satis-
faction improves.
C A S E S T U DY : T R U S T W O R T H Y C O M P U T I N G
ESSENCE OF THE CASE SCENARIO
The essence of this case and the thrust of Can software development processes be
Trustworthy computing is changed to provide more secure code? You are
. Availability—Lack of system outages, and all currently involved in just such a project. In
self-recovery when necessary. January 2002, an internal memo was leaked to
. Security—Data and systems should be the press. It outlined an internal project that
protected. sought to produce more secure code.
C A S E S T U DY : T R U S T W O R T H Y C O M P U T I N G
A N A LY S I S Additionally numerous bugs have been corrected
and the orientation of .NET changed to focus on
To its credit, Microsoft has not indicated that this
security versus features.
is an easy task that can be solved by a couple of
months of code review and programmer training. In response to the original memo and later
Further explanation of the long-term (10–15 year) announcements, a Web site,
commitment necessary for the success of the www.trustworthycomputing.com, put up a page to
vision, and the necessity that all organizations refer to a www.google.com search page for
participate, is illustrated in a later whitepaper “Microsoft security or privacy flaw or flaws or
delivered by Craig Mundie, Senior Vice President hole or holes.” News of this Web page initially
and CTO, Advanced Strategies and Policy. You dominated the press response to Microsoft’s
can read this paper at http://www.microsoft.com/ campaign.
presspass/exec/craig/05-01trustworthywp.asp.
In contrast, vendors who have promoted “trusted
Many were quick to criticize the memo as just a systems” engineered to deliver security solutions
marketing ploy. Microsoft has been heavily criti- are seizing the opportunity to advertise their
cized for a long time for producing security-weak, solutions. On-board smart card readers in key-
buggy products. This memo was seen as an boards, and other hardware devices, as well as
attempt to change public attitude without doing specialized BIOS-level routines are touted as the
anything. Microsoft also announced an immediate answer in the April 4, 2002, article “Signs of
month-long shut down of work on .NET, the Trustworthy Computing,” available at http://
next version of the Windows operating system. www.wired.com/news/business/0,1367,51521,00.html.
The announced purpose was the training of pro-
Trustworthy Computing is a goal that might not
grammers on writing secure code and the scour-
be accomplished for many years, if ever.
ing of .NET and other existing product code for
However, there cannot help but be improvements
software bugs. Various sources at Microsoft claim
in computer security along the way.
some 9,000 programmers have been trained and
that the shutdown lasted for two months.
06 078972801x CH04 10/21/02 3:39 PM Page 298
CHAPTER SUMMARY
Applications can contribute to the security of our computer systems
KEY TERMS
or continue to add additional vulnerabilities to them. The choice is
• Basic input output system (BIOS) ours. We must scrutinize the applications that will be used on our
• Blended malware systems and within our networks, and we must not forget the appli-
cation development process and its contribution to security or vul-
• Boot sector virus nerability. In addition, we should realize the impact of the Internet,
• Brute-force attack or chats, channels, and email as portals for the distribution of mali-
cious applications as well as harmless ones. It is no longer enough to
• Cache
manage the applications that are part of our organizations’ business
• Centralized controlled computing processes. We must realize how easy it is for peripheral code to enter
our systems for good or evil.
• Centralized systems
• Data consistency
• Data independence
• Data mining
• Data recovery
• Data redundancy
• Data reuse
• Data warehouse
• Decentralized
• Dictionary attack
• Distributed
• DMBS
• Dynamic random access memory
(DRAM)
• Flooding net
• Grid computing
• Hardware segmentation
• Hierarchical database
06 078972801x CH04 10/21/02 3:39 PM Page 299
CHAPTER SUMMARY
A P P LY Y O U R K N O W L E D G E
Exercises 4. Populate the Windows 2000 system with at least
a dozen user accounts. This is done by selecting
4.1 Password Cracking Start, Programs, Administrative Tools, Computer
Management, Local Users and Groups, Users and
How easy is it to crack passwords? It’s certainly easy to selecting New users.
talk about the reasons for strong passwords, and the
need to develop alternatives to them. But how much of 5. Create passwords for the users which reflect typi-
a problem is it really? To find out, obtain and run a cal choices by users—for example, names, birth-
password cracker on a system on which you are autho- dates, popular characters, pet names, and so on,
rized to do so. The easiest process to follow is to set up as well as some strong passwords (those including
a test Windows NT or Windows 2000 system, create upper- and lowercase letters, numerals, and punc-
accounts and populate them with passwords, and then tuation marks).
run a cracking program against them. This exercise 6. Install LC4. (You must be logged on with an
details how to do so. administrative account.) To install only requires
Estimated Time: 1 hour double-clicking on the downloaded executable
and accepting the defaults.
1. Locate a system capable of running Windows
2000. Do not utilize a production system! Not only 7. Run LCR. Select Start, Programs, LC4, LC4.
is it unethical to crack passwords on a system, it 8. At the LC4 wizard welcome page, click Next.
is illegal. You could find yourself in serious trou-
9. On the Get Encrypted Passwords page, leave the
ble. Cracking passwords as part of an audit to
default option, Retrieve from Local Machine,
determine the use of strong passwords is a legiti-
checked and click Next.
mate security technique; however, when doing so,
permission must be obtained in writing. For our 10. On the Choose Auditing Methods page, leave the
purposes, it is only necessary to demonstrate the default option, Strong Password Audit, checked
technique, not to perform a true audit. and click Next.
2. Load Windows 2000 Professional or Server. If 11. On the Pick Reporting Style page, leave the
you do not have a licensed copy for testing pur- defaults alone and click Next. Click Finish.
poses, you can usually obtain a limited use (time-
12. Let the password cracker run for some time. Note
bombed) demonstration copy. This system will
the passwords cracked and the time it takes to
only be used for this experiment and therefore
crack them.
only needs to be operational for a few days.
13. To end the program, from the File menu, select
3. Download a 15-day trial copy of LC4 from
Exit.
http://www.atstake.com/research/lc/
download.html. This is the latest version of the
You should read the help files for LC4 and understand
popular and notorious Lophtcrack product from
that the brute-force capability of the trial copy is not
@stake.
functional. Strong passwords that would eventually be
cracked using the brute force techniques will be not be
cracked using the trial program.
06 078972801x CH04 10/21/02 3:39 PM Page 301
A P P LY Y O U R K N O W L E D G E
After your experiment consider: How could you use a 2. A protocol analyzer is an example of a what?
password cracking program in a security program?
A. Virus
B. Hacker tool
Review Questions C. Legitimate network administration tool
1. Give an example of a distributed software envi- D. Trojan horse
ronment.
3. Which of the following is not a legitimate way to
2. Give an example of a non-distributed software deal with an announcement of circulating mali-
environment. cious code?
3. Why do distributed systems increase the risk A. Check with CERT.org.
quotient of software systems?
B. Check with your security officer.
4. Explain the difference between worms, virus, and
C. Do a search on the Internet for hoax busting
logic bombs.
sites.
5. Discuss the difference between a relational
D. Forward the notice to all of your friends.
database and an object-oriented database.
4. Which of the following is true about antivirus
6. Why are distributed database systems harder to
programs?
protect?
A. They facilitate secure remote administration.
7. How can a paging file pose a risk to systems?
B. They can be configured to block executable
8. Does a SANS pose any special security risk?
attachments from email.
9. Name and define two types of software attacks.
C. They discover and destroy or quarantine all
10. Why is remote administrative software dangerous? virus attacks on computers on which they are
installed.
D. They rebuff attacks from malicious code.
Exam Questions 5. A software development methodology which uses
1. Back Orifice is an example of a what? extensive prototyping and is best suited for appli-
cations where economy or quality might be sacri-
A. Remote administration tool ficed is which of the following?
B. Logic bomb A. Spiral
C. Virus B. Waterfall
D. Trojan horse C. Unstructured
D. RAD
06 078972801x CH04 10/21/02 3:39 PM Page 302
A P P LY Y O U R K N O W L E D G E
6. The waterfall methodology of software develop- D. Few inexpensive programs exist that enable
ment is characterized by which of the following? this to be done on today’s PC systems.
A. A progression of steps. Each step must be
completed before the next one can follow.
B. An iterative pattern in which planning and Answers to Review Questions
risk analysis dominate. 1. An e-commerce site with a database back end.
C. Characterized by focus groups, prototyping For more information, see the “Distributed
and time-boxing. Systems” section.
D. A loose application of methodology in which 2. A standalone database accessed by terminals. For
programmer style is more important than more information, see the “Non-Distributed
documentation or formal practices. Systems” section.
7. The ability to work in a higher level view of a 3. One way in which distributed systems increase
problem is called what? the risk quotient of software systems is that they
offer more opportunities for the spread of mal-
A. Abstraction ware. Viruses can be spread by removable storage
B. Layering on any system, but distributed systems can also
be infected by email, access to Web sites, chat
C. Data hiding
rooms, and use of instant messenger programs.
D. System high See the section “Malware for Distributed
Systems” for more information.
8. A software development methodology character-
ized by modularity, data hiding, and limited con- 4. Worms spread themselves by traveling from com-
trol structures is called which of the following? puter to computer. Viruses hide their code within
other, legitimate programs. A Trojan horse is a
A. Object-oriented programming
malware program that disguises itself as some-
B. Structured programming thing else. See the section “Malware for
C. Computer-aided software engineering Distributed Systems” for more information.
A P P LY Y O U R K N O W L E D G E
6. Distributed databases are harder to protect 10. Remote administration software can be used to
because the data can be itself distributed across administer systems from locations other than the
multiple locations. Transactions can involve protected data center. If an unauthorized person
access to and manipulation of data in more than can obtain a legitimate account with privileges to
one database and therefore, there are problems run them, they can attack from a remote loca-
with consistency. See the “Database Issues” tion. See the section “Illegitimate Use of
section for more information. Legitimate Software.”
7. A paging file is used to temporarily store data to
disk during processing. Data is paged in and out
of memory to disk, thus extending the memory Answers to Exam Questions
space available. Unfortunately, if sensitive data,
such as unencrypted data or plaintext passwords, 1. D. Back Orifice is a Trojan horse. This software
exist in memory, they can also be paged to disk. was developed to remotely control systems without
Although the paging file is protected when the permission. The “server” portion of the product is
system is running, when a system is shut down it often innocently installed by an administrator who
is not. After shutdown, the paging file exists on has been tricked into doing so. The “client” is
disk as an ordinary file. If the paging file was not installed on the system used to attack the victim.
cleared at shutdown, the sensitive data exists on Also, many admins have been tricked into think-
disk. Booting the system to another OS might ing this is a legitimate product and installed the
expose the sensitive data. See the section “Storage system thinking to use it for their own work, only
and Storage Systems” for more information. to find a backdoor has allowed an unauthorized
individual to control their systems. See the section
8. A SANs can pose a security risk because security “Illegitimate Use of Legitimate Software.”
is often not designed in. Although operating sys-
tems can have access-control designed in, a SANs 2. C. A protocol analyzer is an example of a legiti-
that is accessible from all systems cannot have mate network administration tool. It is used to
any special controls available. This might have troubleshoot networking problems. It can be used
been less of an issue when SANs systems were by an attacker to inspect traffic on the network.
contained in the data center and used lesser- See the section “Network Software.”
known communications channels, but SANs sys- 3. D. Forwarding the notice to all of your friends
tems are now becoming distributed systems and only perpetuates the hoax, if that is what it is. By
migrating to IP. See the section “Storage Area checking with official resources (CERT, your
Networks.” security department) you might discover the true
9. Software attacks can be dictionary attacks, nature of the problem and how to deal with it
brute-force attacks, spoofing, man-in-the-middle, (ignore, patch). If the nature of the threat is
sniffing, scanning, and so on. See the section unknown, contacting your security department
“Attacking Software.” will ensure its investigation and proper action.
06 078972801x CH04 10/21/02 3:39 PM Page 304
A P P LY Y O U R K N O W L E D G E
Getting others excited about a nonexistent prob- 6. A. A progression of steps. Each one “flows” down
lem is in itself a problem as it clutters up the mail to the next, hence the name. See the section
servers and can reduce the availability of network “System Development Lifecycle.”
resources. See the section “Real Problems and
7. A. Abstraction is the ability to view a problem
Pseudo Attacks.”
from a high, conceptual level. See the section
4. B. Can be configured to block executable attach- “Security Control Architecture.”
ments from email. This feature is present in most
8. B. Structure programming. See the section
antivirus programs that are made for email
“Structured Programming.”
servers. By eliminating executable attachments, a
rich source of malware is prevented from reach- 9. C. Hiding the keys is problematic. Although
ing the end user. Because it is difficult to train writing cryptographic code is difficult, many soft-
users not to click attachments, preventing attach- ware development environments include prewrit-
ments from reaching users eliminates a threat. See ten interfaces that simplify its use. Although it is
the section “What Protection Does Antivirus true that, eventually, encryption might be bro-
Software Provide?” ken, an attacker will first seek to obtain the keys.
(Why do the difficult thing, when the easy solu-
5. D. Rapid Application Development is a method-
tion exists?) See the section “Impacting Security
ology that seeks to bring projects to fruition
Through Good Software Design and Coding
quickly. It is difficult to do so without sacrificing
Practices.”
something. See the section “Rapid Application
Development.”
06 078972801x CH04 10/21/02 3:39 PM Page 305
A P P LY Y O U R K N O W L E D G E
Suggested Readings and Resources
continues
06 078972801x CH04 10/21/02 3:39 PM Page 306
A P P LY Y O U R K N O W L E D G E
OBJECTIVES
5
tunities for securing data, if it’s improperly imple-
mented and used, it is just another good thing
gone bad.
C H A P T E R
OUTLINE
S T U DY S T R AT E G I E S
. Read the introductory information to get a high . Go through the chapter concentrating on the
level understanding of the key components. exercises and understanding how all of the
. Read the entire chapter concentrating in on the pieces fit together.
key technical areas.
07 078972801x CH05 10/21/02 3:42 PM Page 310
INTRODUCTION
There is no silver bullet when it comes to network security. One
technology comes close, however: cryptography. Most people do not
understand how cryptography works and why it is important that
it become a critical part of their security arsenal. This chapter
introduces the key concepts that are needed to be able to use and
integrate security into your environment.
USES OF CRYPTOGRAPHY
Discuss the uses of cryptography including confidentiality,
integrity, authentication, and nonrepudiation.
Cryptography (abbreviated crypto) can be used for a variety of
purposes to protect information. When most people think of crypto,
they think of making sure no one else can read a certain piece of
information; keeping their secrets secret. This plays a key role in
crypto, but there are actually four other main goals of cryptography.
Each of these is discussed in the following sections.
Confidentiality
Confidentiality is preventing, detecting, or deterring unauthorized
access to information. I have sensitive data and I want no one else
to be able to read it. This is a fundamental goal of encryption.
07 078972801x CH05 10/21/02 3:42 PM Page 311
Integrity
Integrity is preventing, verifying, and detecting the alteration of data
or information you have sent. You have to make sure that someone
cannot modify your information without your knowledge. Some
people ask why this is a separate category, because they would argue
that you cannot modify information if you cannot read it. If the
information is protected from a confidentiality attack and unread-
able how could someone modify the information? The answer is,
“Very simply.” You just need to find out the value of a field that you
know and use that as a starting point to modify information you
might not know.
Let’s look at an example to make this clearer. If an employee gains
access to the spreadsheet that human resources maintains to keep
salary information, the employee cannot read the salary information
because that field is encrypted. However, the other fields are not
encrypted so if the employee knows that the CIO of the company
makes more money than he does, he could copy the encrypted value
for the CIO’s salary and paste it in his own field. This employee
might not know the value to which he changed his salary, but as
long as it was higher than his initial salary, he would consider the
attack a success. This is one example where you can modify informa-
tion even if you cannot read it. Hash algorithms are typically used to
provide for integrity of information.
Authentication
Authentication involves identifying an individual or verifying that the
individual is part of a certain group. For example if you try to get
into a bar, the bouncer does not really care who you are as a person;
07 078972801x CH05 10/21/02 3:42 PM Page 312
he just wants to make sure you belong to that group of people who
are 21 or older. In other cases if you are trying to use a credit card,
the merchant wants to make sure that you are the person who is list-
ed on the front of the card. You typically can authenticate someone
based on one of three attributes:
á Something the person knows, such as a password
á Something the person has, such as a token
á Something the person is, or biometrics
Nonrepudiation
Nonrepudiation is critical when it comes to digital signatures. It
deals with proving in a court of law that someone was the originator.
E-commerce would never have taken off if a merchant could not
prove that someone was the originator of the transaction. In tradi-
tional contracts our signature serves as proof that we contractually
obligated ourselves to an agreement. Because that signature is unique
to you, someone at a later point in time can prove that you commit-
ted yourself to that agreement, meaning you cannot repudiate it, or
get out if it.
This same type of proof needs to be obtained in the digital world.
Otherwise, people could place orders and if, a day or two later, the
price decreased, they could deny that they ever placed the order. If
this could occur, no one would use the Internet for any type of
e-commerce. Nonrepudiation is a feature of asymmetric encryption
that allows you to prove that someone actually sent a message. It is
equivalent to an actual signature.
07 078972801x CH05 10/21/02 3:42 PM Page 313
CRYPTOGRAPHIC CONCEPTS,
METHODOLOGIES, AND PRACTICES
Compare and contrast symmetric and asymmetric
algorithms.
As previously discussed, cryptography has several properties and no
single technique can achieve them all. By putting various different
pieces together, you can achieve a strong robust solution. When talk-
ing about cryptography, the following basic terms need to be defined:
á Plain text—A message in its original form. Remember that
any type of message can be encrypted. So even though the
word has text in its name, plaintext is really a generic term and
can refer to an executable, a zipped file, a word-processor doc-
ument, a spreadsheet, or any type of information you would
want to keep protected and secure. This is the data before any-
thing has been done to it.
á Ciphertext—A message after it has been encrypted.
á Encryption—The process of taking a plaintext message and
converting it to ciphertext.
á Decryption—The process of taking ciphertext and converting
it back to a plaintext message. The key thing with encryption
and decryption is this: If you take a plaintext message, convert
it to ciphertext, and then decrypt it back to plaintext, the
plaintext, decrypted message must match the original plaintext
message that was input into the encryption algorithm.
Symmetric Algorithms
Symmetric encryption is often called single-key or secret-key encryption.
That is because a single key is used for both encryption and decryp-
tion of the information. So if I wanted to send you an encrypted
message using symmetric key encryption, I would encrypt the message
with a key, and send you the key and the message. You would then
use the same key to decrypt the message. The key thing to remember
is that the key has to be kept secret. Whoever knows the key not only
can decrypt messages but also can encrypt messages to impersonate
the sender. As you can tell from the previous sentence, the logistics
create a problem.
07 078972801x CH05 10/21/02 3:42 PM Page 314
Asymmetric Algorithms
Asymmetric encryption is often called two-key encryption or
public-key encryption. It involves two keys: a public and a private key.
The public key is given to anyone who wants it and the private
key is kept secret by the user. Anything that is encrypted with one
key can only be decrypted with the other key. To make sure that no
one can read your message to Bob, you would encrypt the message
with Bob’s public key. Bob would then use his private key to decrypt
the message. Anyone along the path would be unable to read the
message. Even if they were able to intercept Bob’s public key they
still could not read the message. Remember that after a message is
encrypted with Bob’s public key, the public key cannot decrypt it.
The only way to decrypt it is by using Bob’s private key, which only
he should have. So with asymmetric encryption the public key does
not have to be sent over a secure channel but it must be sent over a
trusted channel. Otherwise an attacker could generate a fake key for
Bob and send it to you.
One of the drawbacks of symmetric encryption was that it did not
address nonrepudiation. Asymmetric handles nonrepudiation very
eloquently. Remember the sentence earlier about asymmetric
encryption; anything that is encrypted with one of the keys can only
be decrypted by the other. What happens if I encrypt a message with
my private key? It can only be decrypted with my public key. So if
Alice encrypts a message with her private key, anyone can read the
message because anyone has access to her public key, so it does not
address confidentiality. However, when Bob receives the message and
successfully decrypts it with Alice’s public key he has determined
that the only person that could have created this message is the per-
son that has Alice’s private key; because Alice is the only one who
has access to her key, we just proved that she sent the message.
You might be thinking that it is great you can get confidentiality if
you encrypt with someone’s public key and you can get nonrepudia-
tion if you encrypt with my private key, but how do you get both
confidentiality and nonrepudiation? Easy, you perform two steps.
First, you would encrypt a message to Bob with your private key
and then you would encrypt the output with Bob’s public key. Now
what is sent across the wire is secure. Bob would decrypt with his
private key to read the message and then decrypt with the your
public key to prove that you sent the message.
07 078972801x CH05 10/21/02 3:42 PM Page 316
Message Authentication
Message authentication codes (MACs) are used to make sure the mes-
sage has not changed in transit and therefore protect it against
integrity attacks. Authentication codes can be very basic or complex
but they perform some checks to determine whether any of the
information has been modified. A basic check that is not secure is
parity checks. Parity checks the number of 1’s in the message before
it was sent and the receiver checks the number of 1’s when it is
received to make sure they match. So if a single bit is modified this
will catch it but if two bits are modified it will not.
The basic operation is that a check is performed on the message
before it is sent and attached to the message. The receiver will per-
form the same calculation and check the results to make sure they
match. If they match, the message is processed; if they do not
match, the message is dropped and an error is generated.
Hash Functions
A hash function is a one-way transformation that cannot be reversed.
It takes input data and produces a smaller fixed length output.
07 078972801x CH05 10/21/02 3:42 PM Page 317
Having the output, there is no way to figure out what the original
input text is. Another characteristic of strong encryption is there should
be no way to pick two input data streams that produce the same out-
put. Hash functions are very popular with digital signatures because
they reduce the amount of information that has to be encrypted. The
most common implementation of hash functions is MD5.
Digital Signatures
Digital signatures are used to ensure nonrepudiation. Previously,
when discussing asymmetric encryption, we discussed how encrypt-
ing with someone’s private key can ensure nonrepudiation. However
remember that asymmetric encryption is very slow, so encrypting
the entire message would be very inefficient. Instead, the message is
first put into a hash function. A hash function takes a message of
any length and produces a smaller fixed length output. So by using
the hash function, we decreased the size of the message. This smaller
message is then encrypted with the private key of the sender.
Key Length
A common rule of encryption is that all encryption is breakable; it is
just a matter of time before it’s broken. It might take 200 years, but
by utilizing a brute-force attack, which is an attack that tries every
possible key, the encryption will eventually be broken. The amount
of time it takes to perform a brute-force attack depends on key
length. The longer the key, the more possible potential values for the
key, which means it will take longer to guess. For example, if we are
talking binary numbers, a key length of two can be broken very
quickly because there are only four possible combinations. (2 to the
power of 2 equals 4.) However, jumping to a key length of 56 bits
gives 72,057,594,037,927,936 possible keys. This is derived by rais-
ing the number 2 to the power of 56, 2^56. Because computers are
binary devices a 56-bit key is composed of 56 bits and each bit can
either be zero or one. So you can quickly see the longer the key
length the longer it will take to break the encryption.
The rule of thumb is that the usefulness of the information should
be less than the time it takes to brute force the encryption. For
example if one company is going to buy another company within
three months, the first company wants to keep this information private.
07 078972801x CH05 10/21/02 3:42 PM Page 318
After the first company buys the second, however, this information
will become public and no longer needs to be protected. So the use-
fulness of this information is three months. If the company uses a key
length that can be broken within 12 months, that works fine for this
information. However, if the information is about a new airplane that
can go to the moon, and it will take 20 years to build this airplane, a
much stronger encryption must be utilized in order to keep the infor-
mation safe from the public.
Another important point is that computers are constantly increasing
in power and speed. Just because it takes 10 years today to break a
certain type of encryption does not mean a year from now it will not
take less than a year. Thus, you are really shooting at a moving target
when you deal with key lengths.
One-Time Ciphers
A one-time cipher is often considered to be unbreakable encryption.
That is not really a completely accurate statement. The reason
people make this claim is each time you encrypt a message you use a
new key. So you would never ever use the same key twice. Now even
if someone was able to perform a brute-force attack and break the
encryption, it would only let them read that one message and no
other message. So it is a very strong form of encryption, but it
requires the user to maintain a list of keys so it can use a different
one each time. In reality for one-time ciphers the user carries around
a hardware device that generates a new key every minute.
METHODS OF ATTACK
Detail common methods of attacking encryption including
general and specific attacks.
As discussed, there are various encryption techniques that can be
used to protect your information. But how do you know that the
encryption techniques are robust and really doing what they say they
are doing? How do you know that there are not hidden backdoors
in the program that someone can use to extract information?
07 078972801x CH05 10/21/02 3:42 PM Page 320
The simple answer is that we do not know how robust a given tech-
nique is when it is initially developed. When it comes to encryption,
there is no mathematical proof that can be performed that will tell
you an encryption scheme is secure. The only way to know the
strength of an encryption scheme is to let the world examine it and
then attempt to break its cipher. This would normally be performed
over an extended period of time before the code is accepted as a
secure means of communication across an unsecured network.
That is why a new technique that has only been around for a couple
of years is considered, untested, and therefore not secure. With
encryption, something is considered unsecure until it has been
proven that it cannot be broken by a bunch of really smart people.
These people whose goal is to crack encryption are called cryptana-
lysts. Only after cryptanalysts have unsuccessfully tried to break a
scheme for three to five years, do people consider the encryption
scheme secure.
In this section we look at various ways to attack encryption schemes.
The first group consists of general attacks that can be performed
against encryption. The second group involves specific attacks that
people use to break encryption. In most cases breaking encryption
involves finding the key that was used to encrypt the data. After you
know the key, you can decrypt the data and read the encrypted mes-
sage. With encryption, the secrecy of the encrypted text is based on
the secrecy of the key, not the secrecy of the algorithm. This means
that even if someone knows the algorithm, without the key they
cannot crack the encrypted text. Therefore it is fairly common for
the algorithm to be open and published because if it is done correct-
ly, it will not make it any easier to crack the encrypted message.
General Attacks
Four general attacks can be perform against encrypted information:
á Ciphertext only
á Known plaintext
á Chosen plaintext
á Chosen ciphertext
07 078972801x CH05 10/21/02 3:42 PM Page 321
As you move down the list, the attacks become easier to perform.
This should not be surprising because as you move down the list
you are given more information on which to base your analysis. The
more information you are given to solve a problem, the easier it
becomes. We will look at all of these in detail but in most cases you
are only given the ciphertext. The other attacks are more appropriate
if you also compromise someone’s machine or in a lab environment.
Ciphertext-Only Attack
With a ciphertext-only attack (COA), the only thing the cryptana-
lyst has is encrypted text. This is your traditional attack because if
you are using encryption to protect your data over a non-secure link,
it is assumed that someone will be able to intercept the encrypted
text. The whole purpose of encryption is if someone obtains your
encrypted text, they cannot read your original message. So this type
of attack is very difficult with strong encryption algorithms. Strong
encryption refers to algorithms that have stood the test of time and
no one has found a means to defeat it.
A critical point to cover is that all encryption is breakable, it is just a
matter of time. Brute-force attacks are always possible. This is where
you try every possible combination until you find the proper key. A
critical point with brute-force attacks is, how do you know when
you successfully cracked the key? With binary data gibberish, the
actual data could look very similar to the encrypted information.
Brute-force attacks are discussed in the “Special Attacks” section
later in this chapter.
Known-Plaintext Attacks
Known-plaintext (KPA) attacks imply that for a given message the
cryptanalyst somehow was able to find the original plaintext message
that was used to generate the ciphertext. Two parties might be using
the same key and algorithms for several messages and the goal is to
find the key. For one particular message the cryptanalyst now has
the plaintext message and the corresponding ciphertext. This attack
depends on whether there are patterns between the two and the
overall strength of the algorithm. Finding plaintext for a given
message could make it much easier to crack the key or keep the
difficulty level the same. Also the overall length of the message
would dictate how valuable or successful this attack will be.
07 078972801x CH05 10/21/02 3:42 PM Page 322
Chosen-Plaintext Attacks
In some cases, access to the device that generates the encryption can
be obtained without obtaining the key. In this case, you could feed
in whatever plaintext you want and receive the corresponding
ciphertext. This is one step easier than the known plaintext. With
that attack, a cryptanalyst could not pick the plaintext; they are at
the mercy of the system. With this attack, they can now pick what-
ever plaintext they want. The chosen plaintext would contain every
single letter in the alphabet. By doing this, the attacker would obtain
the mapping for every character and therefore you obtain the key.
Chosen-Ciphertext Attacks
The last general attack is a very sophisticated attack. In this attack,
you can pick the ciphertext and the system will give you the corre-
sponding plaintext. As you can imagine, by doing this you can
obtain a lot of critical information that would make it easier to crack
a given algorithm. However this attack is considered theoretical, and
in most cases is only possible in a lab. In normal operations the
chances of performing such an attack are very slim, probably nil.
Specific Attacks
In this section we will look at specific attacks that can be launched
against encryption systems.
Brute-Force
As we mentioned earlier, all encryption is crackable, it is just a matter
of time. So if a vendor tells you that it has proprietary encryption that
is uncrackable, run for the hills because the vendor is lying to you.
07 078972801x CH05 10/21/02 3:42 PM Page 323
First, the strength of encryption is based on the secrecy of the key not
NOTE
the secrecy of the algorithm. So the only reason you would keep an Crack Crack is a program written to
algorithm proprietary is if it wasn’t any good. Second, remember all crack the encryption that is used to
encryption can be cracked from a brute force standpoint. Because the store passwords on Unix operating sys-
tems. It was originally written to crack
goal is to find the key you could go and try every possible combina-
the crypt encryption which is a variant
tion. If the key was composed of letters you would try every possible
of DES used to encrypt Unix pass-
combination. The beginning of such an attack would look like A, AA, words. Essentially, crypt used the
AB, AC, and so on. Eventually you will find the key. It could take 500 password as the key and encrypted a
years to find it, but it could still be cracked. Therefore when we pick a set string to produce the ciphertext.
key length, we have to figure out the time it would take to brute-force Then, when someone entered her
that key length and make sure the information content expires before password, it would decrypt with the
the technique can be brute-forced. For example, if I only have to keep password the user entered and if it
something secret for two days, encryption that could be cracked by a returned the set string the user knew
brute-force attack in two weeks would work fine. However, if the the password was valid; if it did not
value of information has to be kept secret for 10 years, two weeks than the system denied access. Crack
would be too short a period of time. is pretty basic compared to today’s
cracking programs, but when it first
came out it was very powerful and it
Replay Attacks showed the impact that all encryption
is crackable; it is just a matter of time.
A replay attack involves taking encrypted information and playing it
back at a later point in time. For example, to gain access to a net-
work a user would enter a password which is sent over the wire
encrypted to the server. You cannot read the password because it has
been encrypted with a large key. However, you would sniff the
encrypted password and when you want to impersonate a given user,
you would just reply or send the server the encrypted information
you gathered off the network. The best way to defeat replay attacks
is to put some piece of information like time into the equation. So if
you try to replay information 10 minutes from now it would not
work because the time factor would not match for the data you are
trying to replay.
Man-in-the-Middle Attacks
When we talked about symmetric and asymmetric encryption, we said
that symmetric keys have to be sent over a secure channel but asym-
metric keys only have to be sent over a trusted channel, not necessarily
a secure channel. The reason a trusted channel is needed is to prevent
an attacker from inserting themselves in the middle of a communica-
tion channel and impersonating both sides. For example, say that
Alice and Bob want to communicate using asymmetric encryption.
07 078972801x CH05 10/21/02 3:42 PM Page 324
Meet-in-the-Middle Attacks
Most people have heard of DES and 3-DES or triple DES, but have
you ever heard of double DES? What is wrong with double DES
that caused the developers to go right to triple DES instead? The
reason has to do with a potential vulnerability that exists with dou-
ble DES; the attack is called a meet-in-the-middle attack. Essentially
when you do the first round of encryption, you encrypt the message
with key1 to yield ciphertext 1, which is shown in the following
formula:
E(M,K1)=C1
Birthday
When dealing with hash functions, because they are a one-way func-
tion, it is critical that the chances of two random messages hashing
to the same value is slim. It should also be difficult if not impossible
to figure out that the input text was based solely on the output text.
The birthday attack against hash functions deals with trying to find
two different messages that hash to the same value. If this can be
found, information could be implied and potential weaknesses could
be found. The name derives from the birthday game which involves
taking a room full of people and figuring out the chance that two
people have the same birthday. Originally you would think because
there are 365 possible birthdays that with a small group of fewer
than 100 people the chance of two people having the same birthday
would be extremely low; in reality, though, the number is quite
high, actually greater than 50%. So the lesson to be learned is even
though there are a high number of possible values that something or
someone can take on, the chances of two having the same value are
extremely high even if the range of answers contains a lot of values.
C A S E S T U DY : E N C R Y P T I O N C A N B E A D O U B L E -E D G E D S W O R D
C A S E S T U DY : E N C R Y P T I O N C A N B E A D O U B L E -E D G E D S W O R D
continued
. Solutions exist—Such as disabling EFS In Windows 2000, a file recovery agent exists
until a PKI can be established to ensure and can also decrypt the file. Window XP sys-
the availability of recovery agents. tems not in a domain do not have a file recovery
agent.
. Systems in a domain might not be vulner-
able because a domain-level recovery Unfortunately, users of EFS often receive no train-
agent is available—However, historically, ing and few if any read the documentation that
things have happened to corrupt or clearly states the user’s keys must be archived
remove this key as well. to provide backup should the original keys
become corrupt. The keys are stored in the
. The most vulnerable users to this issue
user’s profile (a collection of configuration infor-
are the very ones who will use it and be
mation and folders that reside by default on the
caught—This includes the home user, the
user’s hard drive). Should anything happen to the
small business person, and the company
profile, the keys can be lost or damaged.
without central data systems with
domains and experienced technical Users do not generally archive their keys, and it
people. is not practical for company system/network
administrators to do so for them (there is no
automated way to do so and thousands of users
would mean thousands of archived keys and no
key management system). This means that
something as simple as a corrupt profile, disk
error, or disk crash can destroy the keys. When a
user’s machine is fixed (drive replaced, profile
regenerated, system reinstalled, and so on), even
if the encrypted files are backed up or still pre-
sent, they cannot be decrypted because keys are
missing. With luck, the recovery agent can be
used to recover the files; however, many people
have lost access to critical, sensitive files due to
this problem.
07 078972801x CH05 10/21/02 3:42 PM Page 327
C A S E S T U DY : E N C R Y P T I O N C A N B E A D O U B L E -E D G E D S W O R D
A N A LY S I S Likewise, if an organization decides it does not
Why would such a product exist? Why don’t peo- want the trouble, it is easy to disable this tool to
ple read directions? Shouldn’t our data process- prevent the user from encrypting files with EFS.
ing gurus know about these things? Here is a Instead, it’s turned on by default, and it’s easy
case where solid encryption has risen on its enough to implement. Therefore, a real threat of
hind legs and bitten the ones who use it. Worse, danger exists. In fact, one consultant I know
few are taking the steps to properly manage it. receives at least one new case a week where
If steps are taken to archive keys, ensure someone has encrypted a file and then the keys
recovery agents exist, and train users and have been destroyed and their data lost.
administrators, this is a good system to use.
CHAPTER SUMMARY
Cryptography plays a key role in obtaining security for an organiza-
KEY TERMS
tion. It does not solve all of the world’s problems but plays a key role
in defense in-depth across an organization. Especially now that orga- • Advanced encryption standard
nizations are connected to untrusted networks like the Internet, it (AES)
is critical that people take measures to protect their information. • Asymmetric encryption algorithm
e-Commerce dictates that you must be able to protect information,
validate the accuracy of information, and prove that an entity • Authentication
actually sent a message. All of these goals need cryptography to be • Birthday attack
achieved. Having a good understanding of the different algorithms
• Brute force attack
and the pros and cons of each is critical for any security professional.
• Certificate authority
• Chosen ciphertext (CCA)
• Chosen plaintext attack (CPA)
• Ciphertext
• Ciphertext only attack (COA)
• Confidentiality
• Cryptanalyst
• Cryptography
07 078972801x CH05 10/21/02 3:42 PM Page 328
CHAPTER SUMMARY
A P P LY Y O U R K N O W L E D G E
Exercises 3. Explain the difference between symmetric and
asymmetric encryption algorithms.
5.1 Disabling EFS on a Windows 2000 4. List and explain two problems with symmetric
Professional Computer algorithms.
If EFS is not used in your environment, it should be 5. A message encrypted with the public key belong-
disabled. This is easy to do. The following instructions ing to Jane and sent to her over the network is
are for a Windows 2000 Professional computer. captured by Peter. Because the public key is pub-
Estimated Time: 5 minutes licly available, what prevents Peter from decrypt-
ing and reading the message meant for Jane?
1. Open Start\Programs\Administrative Tools\Local
Security Policy. 6. Asymmetric algorithms can be used to produce
nonrepudiation. How is this accomplished? Why
2. Navigate to and expand the Public Key Policies is it true?
container.
7. Why isn’t public key encryption used for all
3. Select the Encrypted Data Recovery Agents encryption purposes?
container.
8. Why is it that we say a longer key provides better
4. Right-click the certificate in the details pane protection from being broken?
labeled file recovery and select Delete. In
Windows 2000, when no file recovery agent exists, 9. What does a cryptanalyst do? Why?
file encryption cannot take place. (This is not true
in Windows XP. Windows XP Professional
requires a different process to disable EFS.)
Exam Questions
5. Right-click the Encrypted Data Recovery Agents
1. The message in its original form is an example of
container and select Delete Policy. This prevents
what?
the inclusion of another recover certificate at a
later date without the creation of a new policy. A. Plaintext
6. Close the Local Security Policy. B. Ciphertext
C. Cleartext
D. Hash
Review Questions 2. Which of the following is NOT an example of a
1. Discuss the difference between confidentiality, symmetric key encryption algorithm?
integrity, and authentication.
A. Rijndael
2. How is a digital signature useful in an
B. DES
e-commerce transaction?
C. 3DES
D. RSA
07 078972801x CH05 10/21/02 3:42 PM Page 330
A P P LY Y O U R K N O W L E D G E
3. Bob wants to send a private message to Mary and C. Ciphertext only attack
wants no one else to be able to read it. He also
D. Chosen-plaintext attack
wants Mary to be able to know that it came from
him. He both signs and seals (encrypts) the 7. Which of the following is a type of attack in
message. The following keys are used in which which encrypted information is taken and played
manner? back at a later point in time?
A. Bob uses Mary’s public key to encrypt the A. Replay attack
message and his own private key to sign it. B. Brute-force attack
B. Bob uses Mary’s private key to encrypt the C. Man-in-the-middle attack
message and his own public key to sign it.
D. Meet-in-the-middle attack
C. Bob uses Mary’s public key to encrypt the
message and his own public key to sign it.
D. Bob uses Mary’s private key to encrypt the
message and her public key to sign it. Answers to Review Questions
4. A one-way transformation that cannot be 1. Confidentiality is the prevention, detection, or
reversed is a what? deterring of unauthorized access to information.
Authentication is proving that you are who you
A. MAC say you are, and integrity is preventing, verifying,
B. Hash and detecting the alteration of data. See the sec-
tions “Confidentiality,” “Integrity,” and
C. Ciphertext “Authentication” for more information.
D. Plaintext 2. The digital signature serves as proof that a specif-
5. A way to establish that a key belongs to a ic individual participated in a transaction. The
particular user is to use which of the following? purchaser cannot deny that he has ordered the
item. This feature of digital signatures is non-
A. One-time cipher repudiation. See the section “Nonrepudiation” for
B. Digital certificate more information.
C. Digital signature 3. Symmetric encryption algorithms use a single
key, which can both encrypt and decrypt the
D. Hash
plaintext. Asymmetric encryption algorithms, on
6. A type of cryptographic attack in which the the other hand, use a matched pair of keys. If one
device that generates the encryption is obtained key is used to encrypt, the other one must be
but not the key is a what? used to decrypt. See the sections “Symmetric
Algorithms” and “Asymmetric Algorithms” for
A. Chosen-ciphertext attack
more information.
B. Plaintext attack
07 078972801x CH05 10/21/02 3:42 PM Page 331
A P P LY Y O U R K N O W L E D G E
4. One problem is that the use of a single key 8. All encryption is breakable; the object is to
creates the problem of key distribution. I must make it take a long time. Because all data in the
somehow get to you the key I used to encrypt the computer is binary, a small key presents only a
message. In addition, if I want to share multiple few possible combinations of 0s and 1s. A larger
messages with multiple people, we each need to key presents a lot more. If a brute-force algo-
share multiple keys. Another problem is that a rithm, which tries every possible combination, is
single key cannot be used for nonrepudiation. used then it is logical that a larger key, with more
Because the key is shared, its use cannot prove possible combinations, will take longer to crack.
that a specific person used it. See the section See the section “Key length” for more informa-
“Symmetric Algorithms” for more information. tion.
5. When data is encrypted with the public key of a 9. A cryptanalyst attempts to crack encryption algo-
public/private key pair, only the private key can rithms. A new encryption algorithm must be test-
be used to decrypt it. The public key will not ed (by trying to crack it) for many years before it
work. Because the private key is kept by Jane, can be presumed to be secure. Cryptanalysts do
only Jane, when she receives the message, will be this work. See the section “Methods of Attack”
able to decrypt it. See the section “Asymmetric for more information.
Algorithms” for more information.
6. Asymmetric algorithms use two keys. To digitally
sign something, Jane’s private key is used. When Answers to Exam Questions
the message is received, the signature can be
proven to belong to Jane because only Jane’s 1. A. Answer B is the encrypted plaintext. Answer C
public key can decrypt it. Furthermore, because is a font style. Answer D is also wrong. See the
only Jane has her private key, only Jane could section “Cryptographic Concepts,
have signed the message; therefore nonrepudia- Methodologies, and Practices” for more informa-
tion exists—Jane cannot deny that she signed tion.
the message. See the section “Asymmetric 2. D. Answers B and C are incorrect because they
Algorithms” for more information. are symmetric key encryption standards of the
7. Public key encryption is very slow, so most uses U.S. government. Answer A is the new U.S. stan-
of it use private key encryption to encrypt the dard, so it’s also incorrect. See the section
cleartext and use public key encryption to “Symmetric Algorithms” for more information.
encrypt the private key that must be sent to the 3. A. Answers B and D are wrong because Bob does
recipient. See the section “Asymmetric not have access to Mary’s private key. Answer C is
Algorithms” for more information. wrong because Mary cannot use his private key to
decrypt the signature. See the section
“Asymmetric Algorithms” for more information.
07 078972801x CH05 10/21/02 3:42 PM Page 332
A P P LY Y O U R K N O W L E D G E
4. B. Answer A is a message authentication code or 6. D. Answer A, chosen-ciphertext attack, is one
check used to determine whether a message has where you pick a ciphertext and get a corre-
been changed in transit. Answer C is incorrect sponding plaintext. Answer B is an attack in
because it’s the encrypted plaintext. Answer D is which you know the original message. Answer C
incorrect because it is the message before it is is one in which you only have the ciphertext. See
encrypted. See the sections “Message the section “General Attacks” for more informa-
Authentication” and “Hash Functions” for more tion.
information.
7. A. Answer B is an attack in which every possible
5. B. The digital certificate binds the key to the user combination is tried, so it’s incorrect. Answer C
entity. Answer A is a type of encryption algo- is where an attacker inserts himself into the mid-
rithm that must use a new key each time, so it’s dle of a communication channel and imperson-
incorrect. Answer C is a digital signature used to ates both sides, so it’s incorrect. Answer D is a
determine who sent the message, so it’s incorrect. special attack based on the vulnerability of
Answer D is a type of one-way encryption algo- double-DES, so it’s incorrect. See the section
rithm, so it’s incorrect. See the sections “One- “Specific Attacks” for more information.
Time Ciphers,” “Hash Functions,” “Asymmetric
Algorithms,” and “PKI and Key Management”
for more information.
07 078972801x CH05 10/21/02 3:42 PM Page 333
A P P LY Y O U R K N O W L E D G E
Suggested Readings and Resources
1. Atreya, Hammond, Paine, Starrett, and Wu. 7. Murray, William Hugh. “Principles and
Digital Signatures. RSA Press, McGraw Hill, Applications of Key Management.” In
2002. Handbook of Information Security Management,
edited by Micki Krause and Harold Tipton,
2. Frankel, Sheila. Demystifying the IPSec Puzzle.
Auerbach, 1999.
Artech House, 2001.
8. Schneier, Bruce. Applied Cryptography,
3. Ganapathi, S.J. “Fingerprint Authentication:
Protocols, Algorithms and Source Code in C,
Shifting the Electronic Security Paradigm.”
Second Edition. John Wiley and Sons, 1995.
www.scmagazine.com, February, 2002.
9. Schneier, Bruce. Secrets and Lies, Digital
4. Gove, Ronald A. “Fundamentals of
Security in a Networked World. Wiley, 2000.
Cryptography and Encryption.” In Handbook
of Information Security Management, edited by 10. Vallabhaneni, S. Rao. Chapter 5,
Micki Krause and Harold Tipton, Auerbach, “Cryptography.” In CISSP Examination
1999. Textbooks, Volume 1. SRV Publications, 2000.
5. Heiser, Jay. “Introduction to Encryption.” In 11. http://www.cryptography.com/ (home of
Handbook of Information Security Management, Cryptography Research, Inc. It has links to
Fourth Edition, Volume 2, edited by Micki conference papers, articles on protocols, and
Krause and Harold Tipton, Auerbach, 2001. crypto author sites).
6. Kahn, David. The Code Breakers: The Story of 12. http://www.faqs.org/faqs/cryptography-faq/
Secret Writing. Scribner, 1996. (cryptography FAQ that includes a series of
articles which define cryptography topics).
07 078972801x CH05 10/21/02 3:42 PM Page 334
08 078972801x CH06 10/21/02 3:41 PM Page 335
OBJECTIVES
6
is important for understanding how to secure it.
Learning basic concepts and terms is a start
whether your intention is to participate in a formal
evaluation, select evaluated products, or merely to C H A P T E R
understand the systems with which you work. To
secure systems, it is first necessary to know what
security functionality they have. To determine
functionalities, you have to study the security
architecture. Using a recognized security architec-
ture evaluated product may save some time.
Understanding that evaluation, and what you must
do to meet it, will allow you to have more secure
Security Architecture
products in place. and Models
08 078972801x CH06 10/21/02 3:41 PM Page 336
OBJECTIVES OUTLINE
OUTLINE S T U DY S T R AT E G I E S
INTRODUCTION
How do you say security? Today it’s popular to speak of it, but I
don’t think most people have learned to pronounce the word yet.
Perhaps it’s the manager, CIO, someone with the purse strings who
will approve anything with the word security in it. Firewall. Yeah,
give me one of those. Intrusion detection, PKI, smart cards, and
tokens—I’ve got lots of security right here, folks.
Or maybe she’s a network administrator. Can’t wait to play with
these new toys? Or she’s found security to interfere with perfor-
mance. Until management changes the directives, security is just
another thing to keep running and keep out of the way of getting
data from here to there—fast.
Could be he’s a programmer, or project manager. Security? Why he’ll
build that right into the product. Crypto, access controls, public
keys, no worries. They say it’s hard to get it right? Bring it on.
08 078972801x CH06 10/21/02 3:41 PM Page 339
Then there’s Joe. Hi, Joe. Joe just wants to get his job done. He
NOTE
doesn’t want to configure a personal firewall, select a secure operat- Computer Trustworthiness =
Trustworthy Computing? Study com-
ing system, or learn anything new. But Joe doesn’t want his identity
puter security long enough and you’ll
or money stolen.
stumble across the concept of com-
And maybe, just maybe, the people with the power to institute puter trustworthiness. That is, a com-
sound info-security practices realize the previous reactions for what puter is trustworthy if it has a trusted
they are. Perhaps you’re one of them. If so, how does anyone build, computing base, enforces a security
buy, and use more secure products? How do you make your infra- policy, and has domain separation,
resource isolation, hardware isolation,
structure more secure?
software isolation, and software medi-
Here’s how. You find out about the joint efforts of those who came ation. This “trustworthy” characteristic
before you and what they have said about it. You look for the stan- of a computer system sounds like a
dards, the validated practices, and certified products that are out component that’s needed in “trust-
there. No one person has the answer. There is always much to learn, worthy computing,” an initiative that
and research is continual; but you don’t have to do it alone or rely Microsoft has pledged to work for;
visit the progress for this project at
on commissioning your own study from the ground up. There is a
http://www.microsoft.com/mscorp/
tremendous amount of information available. I’m not talking about
execmail/2002/07-18twc-print.asp.
academic research, I’m talking about real-world implementable How do their products, and those that
designs that have been and are being used by governments, by finan- you use, stand up?
cial institutions, by utilities, commercial industries, and organiza-
tions around the world. I’m trying to point you to products that
have been evaluated against these programs, hoping you will use this
information to build or improve your own security operations.
That’s what this chapter is about—architecting security. Taking the
models, the schemas for secure products, the assurance formulas that
exist, and applying them to a real-world environment. If this is
already your modus operandi, no offense meant, but if you like the
way I talk about it, please pass it on.
All these things are important, but you just can no longer expect to
bandage your systems with security products, which mask your
fragility by creating born-again security awareness from software
developers. Here’s my point. You’ve got to architect your informa-
tion systems like they were meant to stand up to more than script
kiddies and virus-writer wannabes. It is not a problem you can
throw people, or product or money at. Instead, it’s a constant,
all-encompassing movement. This chapter introduces you to some of
the work that has gone on before. Pick up the flame and run with it.
08 078972801x CH06 10/21/02 3:41 PM Page 340
For these reasons and more, there is less and less difference between
the needs of government and public enterprise for security models
and architecture. The process is the same. The threats must be
understood, the risk analyzed, the products researched, and the plan
developed.
08 078972801x CH06 10/21/02 3:41 PM Page 342
SECURITY MODELS
Discuss examples of security models including the
following:
• Bell-LaPadula
• Biba
• Clark-Wilson
• Access control lists
A security model is a prescriptive paradigm. At first, it’s someone’s
NOTE
The ICS2 Approach to These Models best guess at formulating a plan to make something more secure. It
You’ll find that these models were gets tested, refined, used, and maybe abandoned as the “things”
also discussed in other areas of the you’re trying to secure and the resources you have to do so change.
book. The ICS2 is redundant regard-
Nevertheless it is important to know about them. They may be in
ing the information covered in each
place where you work, or they may lead you to a better understand-
domain. In some cases, this is due to
the context in which these models are
ing of your job. Their study will also teach you the vocabulary of
discussed. In other cases, it’s redun- modeling secure systems. The following security models are a few of
dancy for the sake of redundancy. the better-known ones:
Obviously, it’s important that you have á Bell-LaPadula
an understanding of each model,
thus, we once again approach these á Biba
models with the ICS2 domains in
á Clark-Wilson
mind.
á Access control lists
Bell-LaPadula
Bell-LaPadula is an information flow security model. This model
was developed in the 1970s in response to the U.S. government’s
concern about security on the mainframe systems on which it used.
The main issue was confidentiality, how to keep unauthorized per-
sonnel from accessing data. Access to stored data could be controlled
through access controls that identified who could access what. But,
what happens when data is moved? The Bell-LaPadula model has as
its premise that “information shall not flow to an object of lesser or
non-comparable classification.” To understand what is meant by that
I’ll detour into some basic security modeling explanations.
08 078972801x CH06 10/21/02 3:41 PM Page 343
Two key terms you need know are object and subject. By object, I
mean passive items such as hardware, software, and processes that
store information. The subject, however, is used to describe active
processes, such as persons or devices that move information between
objects. Each subject, even if it acts on behalf of another subject, is
assigned a formal security level or clearance. Each object is also given
a security level or classification. Object and subject security levels are
identified by assigned labels.
An easy example of this object-subject relationship is to think of the
nature of government, business, or even personal information. Let’s
use a publicly traded business example. For this business, some infor-
mation is public knowledge. Names, addresses, contact numbers, and
other quarterly information about the stocks are public information.
Other information, such as day-to-day financial transactions, is for
only those processing the transactions, and certain management per-
sonnel. Still other information (the financial health and well being of
the company before the public announcements or going beyond what
is appropriate and legally obligated in those statements) is severely
restricted. For this business, as for your personal life, data has different
classifications and the ability to access information is controlled. You
don’t have to formally label it classified, unclassified, secret, top-secret,
or eyes only, in order for it to be so. Conversely, we give individuals
within our sphere of influence (business, personal life) different levels
of clearance to see our information. (Your lawyer, for example has
much more privileged information about you then I do.)
So, loosely translated, Bell-LaPadula is saying that one of the ways
data can be kept secure is if the data is never moved from a contain-
er classified at level X to another container that has a classification
lower than X, or that cannot be judged to be of equal or higher clas-
sification. Practically speaking, it’s as if you agreed to keep your cash
safe by never moving it from the bank vault to your wallet. You can
move it to another bank vault, but not to the wallet, pocket, hand,
or refrigerator. Note that I’m not talking about being able to practi-
cally use that data (money in the last example); I’m merely talking
about how to keep it safe.
Why does this security model work? It works because it presumes
(and explains) that access to each classified container, or object, is
also strictly controlled. That is, every subject must have clearance;
they must be authorized to access the container. It also eliminates
possible covert channels (ways of communicating information with-
out seeming to do so).
08 078972801x CH06 10/21/02 3:41 PM Page 344
One classic covert channel might exist in some systems because you
strongly protect access to objects and take great pains to selectively
grant the rights of access to these objects, but fail to prevent the
movement of data from one object to another. Picture, for example,
the results if I have authorization to read and write to the file direc-
tories A and B. Folder A has personnel records in it and is on a
computer drive where access permissions can be set. Folder B has a
document detailing the weekly lunch menu in the company cafete-
ria. Folder B is on a computer or drive where access permissions
cannot be set. Access is controlled by permissions on its entry. You
do not have access to folder A, but as an employee of the company
you have read access to the lunch menu folder, folder B. Because I
have read and write access to both folders I can copy the personnel
records, which of course, include salary information, from folder A
to folder B. Now others can read them too!
If our system followed the Bell-LaPadula model, I would not be
able to transfer the personnel files to a publicly available folder.
Extending this concept, any subject that has authorization to access
A-level data does not have write access authorization to B-level data.
Other subjects may have write access to level-B data, and they may
have less clearance than those with access to A. The danger of trans-
fer of information to an object of lower classification is prevented.
This has been a much-simplified description of this model. The model
itself has much more to it. One of its premises is that it follows the
computer science Basic Security Theorem. This theorem states that a
system can be put into a secure state that is security preserving. That
is, a sequence of rules applied to the system in a secure state will result
in the system entering a new secure state. The theorem, and the Bell-
LaPadula model can be proven using set theory and other mathemat-
ics. Some other basic concepts of Bell-LaPadula are
á Fundamental modes of access—Access, such as read, write,
read only, and so on, is defined to permit access between sub-
jects and objects.
á Dominance relations—A relationship between the formal
security levels of subjects and objects describes the access per-
mitted between them.
á Simple security condition—A single statement such as grant-
ing read access to a specific object. For example, “Grant Bob
read access to file B.”
08 078972801x CH06 10/21/02 3:41 PM Page 345
Biba
Where Bell-LaPadula address secure information flow and confiden-
tiality, the Biba model was the first to address integrity in computer
systems. In this model, no subject may depend on a less trusted
subject, and the primary objective is to prevent users from making
modifications that they are unauthorized to do.
Biba is based on a hierarchical lattice of integrity levels and is an
information-flow security model. In this model, two rules prevail—
no write up and no read down.
First, no subject can write up to a higher integrity level. Let’s think
about the request I might make at the bank for some money. I make
out a check for $100.00 to “cash” and hand it to the teller. I’m
telling her that I have $100.00 in my checking account and I would
like her to give it to me. The teller, however, does not take my word
about the data in my account (the lower integrity level) for truth.
Instead, she checks the bank’s computer records (the higher integrity
level). If the funds do indeed exist, she gives me the cash and the
work is started to reduce by $100, the balance of my account.
Second, no subject can read down. In our example, the bank com-
puter does not need to read any balance information from the
request that I make. The teller may enter the information that I am
withdrawing $100, and even the balance left in my account, but the
transaction that records the information will not use this informa-
tion, and the processes that manage the account balances have no
authority to read the file that contains the information.
08 078972801x CH06 10/21/02 3:41 PM Page 346
Clark-Wilson Model
The Clark-Wilson Model also emphasizes data integrity, and does so
for commercial activities. It uses software engineering concepts such
as abstract data types, separation of privilege, allocation of least priv-
ilege, and non-discretionary access control. Clark-Wilson has three
integrity goals:
á Prevent unauthorized users from making modifications
á Prevent authorized users from making improper modifications
á Maintain internal and external consistency
R E V I E W B R E A K
A Review of the Security Models
Four security models, all of which apply to access control, have been
discussed here. Table 6.1 summarizes them.
08 078972801x CH06 10/21/02 3:41 PM Page 348
TABLE 6.1
SECURITY MODELS FOR ACCESS CONTROL
Government Model Primary Directive
Biba Yes Integrity
Bell-LaPadula Yes Confidentiality
Clark-Wilson Yes Integrity
Reference Monitor
One of the primary concerns in the evaluation of the security of sys-
tems is how the system controls access. Does it use labels or permis-
sions? Are controls mandatory or discretionary? How granular is it?
Is there any way around it? A key component in any secure system
implementation is the one that controls this function, the reference
monitor. The reference monitor is an imaginary device that controls
all access to all objects (passive items such as hardware, software, and
processes that hold or store information) by subjects (active process-
es, persons, or devices that move information between objects).
08 078972801x CH06 10/21/02 3:41 PM Page 349
TABLE 6.2
AN OPEN SYSTEM VERSUS A CLOSED SYSTEM
Open Closed
User interface Standard Nonstandard
Systems such as many modern Unix systems and more recent versions
of Windows systems (Windows NT, 2000, XP, and .NET) default to a
single administrative account, and provide the ability to create users
who are limited in their privileges on the system. In addition, these sys-
tems provide discretionary resource access control. These systems are
not, however, closed systems, though granular control of user access can
contain a user to a single application.
In sum, while there is still a need to distinguish between open and
secure systems, you should be careful not to assume that all systems
are either one or the other and that even the most secure system
must be configured to be so, and must be maintained to stay secure.
Security Principles
A good security system architecture is designed to maximize the use
of recognized security principles. Among these principles are
á Trusted Computing Base (TCB)—The sum of the security
functions of the system.
á Execution domain—The OS system area is protected from
tampering and accidental modification. In many systems this
is implemented by creating a secure area, or kernel, within
which the operating system functions. Another layer, the user
area, is set aside for application programs.
á Layering—Processes do not do everything. Processes are lay-
ered, with each layer having a specific job. An example of this
functionality is the requirement for user applications running
in the user area of the system, to call kernel-level functions
when necessary access to system operations is required.
á Abstraction—Acceptable operations are characterized, not
spelled out in detail.
á Process isolation—Many processes can be running without
interfering with each other. In many systems this means each
process is assigned its own memory space.
á Least privilege—A process has only the rights and access it
needs to run; only processes which need complete privileges
run in the kernel and other processes call on these privileged
processes only as needed.
08 078972801x CH06 10/21/02 3:41 PM Page 352
Security Modes
A security subsystem may be designed to operate in a particular mode.
The mode is based on the need to authorize access to different levels of
data sensitivity. This is one way to view both the nature of the data
available on the computer, and the restrictions on access. The modes are
á Dedicated—No restrictions. All users can access all data. All users
have clearance for all data on the system and have signed nondis-
closure agreements for all information stored and processed. The
users have a valid need to know for all information.
á System high—All users have access approval and clearance for
all information on the system. Users have clearance for all
information, they have a need to know for some of the infor-
mation, and signed nondisclosure agreements that require
them not to share the information.
á Compartmented—Users have valid clearance for most
restricted information processed on the system, formal access
and non disclosure for that information, need to know for that
information. Data is partitioned. Each area of data has differ-
ent requirements for access. Users of the system must meet the
requirement for the area they wish to access.
08 078972801x CH06 10/21/02 3:41 PM Page 353
Covert Channel
It is important to understand the concept of a covert channel
because it is often an unexpected vulnerability in an otherwise secure
and securely maintained system. Being able to recognize such a flaw
may lead to its prevention.
A covert channel allows an object with legitimate access to informa-
tion to transfer the information in a manner that violates system
security policy. Two types of covert channels exist—covert storage
channels and covert timing channels.
The covert storage channel allows the direct or indirect writing by
one process to a storage area that allows direct or indirect reading by
another process which has less clearance than the first. In essence, it’s
as if an individual with security clearance leaves top-secret informa-
tion lying around on a table at the food court in a mall. This is simi-
lar to when a disk space is shared by two objects that have a different
security classification. In a simple labeling system, subjects with
clearance for either classification have access to the disk. In an access
control list protected system, a folder (directory) has permissions set
that allow both subjects access. When the more sensitive information
is saved on the disk, both sets of controls are applied, and either sub-
ject can access the files.
A covert timing channel exists when a signal of information is modi-
fied due to some other system function. The modified signal may
allow unauthorized individuals to determine the system function
through observation of the other. For example, a recent study con-
cluded that the disk access lights on a system, when carefully stud-
ied, reveal information about the data being processed on the
system.
While covert channels are often the result of system design or con-
figuration, an exploitable channel is a covert channel that is created
with the intention of violating security policy. It is useable or
detectable by a subject external to the trusted computing base.
08 078972801x CH06 10/21/02 3:41 PM Page 355
NOTE
Standards to Know Historically, sev-
STANDARDS eral security evaluation systems are
of note:
Describe information system standards, including the • Orange Book—Trusted Computer
following: System Evaluation Criteria (us)
(TCSEC)—1985
• TCSEC • UK Confidence Levels 1989
• ITSEC • ITSEC (1991) Information
Technology Security Evaluation
• Common Criteria Criteria (from the German and
When information security requirements are high, an evaluation of French Criteria, and the
Netherlands, and United Kingdom)
computing systems and devices should be done before the systems
• Canadian Criteria 1993 Canadian
are put into production. If formalized, as is required in many gov-
Trusted Computer Product
ernment operations, this process consists of two steps. First, the
Evaluation Criteria (CTCPEC), a
system is given a technical evaluation and is certified to have the combination of ITSEC and TCSEC
security features that are specified for the job for which it will be • Federal Criteria 1993 (draft
used. Second, management must decide to accept the risk of using Federal Criteria for Information
this system and approve its operation and environment. The man- Technology Security)—later
agement evaluation may result in approval (accreditation) or rejec- merges into Common Criteria
tion. In addition, if the systems are to be configured to meet the
evaluated circumstances, the objective may be to have the site certi-
fied. This type of accreditation requires outside authority and is
beyond the scope of mere administrator configuration and local
management approval.
The diverse nature of computing needs, as well as the capability of
computing systems to fulfill them, can create a backlog of requests if
each new product must be technically evaluated. Early efforts in the
United States to resolve this issue resulted in the Trusted Computer
System Evaluation Criteria (TCSEC)—a U.S. Department of
Defense standard for computer system security. Better known as the
Orange Book due to the color of its cover, this standard consists of a
rating system against which systems could be formally evaluated.
The receipt of a rating relieved an individual government depart-
ment from doing the lengthy technical evaluation on its own and
prevented duplication of efforts.
08 078972801x CH06 10/21/02 3:41 PM Page 356
NOTE
It’s Not Perfect Security architecture
á D—Minimal protection
models address operating system
á C—Discretionary protection security. They address system access
controls, data access controls, sys-
á B—Mandatory protection tem security, and administration and
á A—Verified protection system design. They do not address
the issues of physical security nor do
The primary divisions are further divided into classes, as described in they deal with the human factor.
Table 6.3. Within each class, evaluation is based on six fundamental
security requirements and the system documentation. They are
á Security policy—Must be explicit and defined by the system.
á Security policy—Must include some form of marking; access
control labels must be associated with objects.
á Accountability—This is ensured by requiring the identifica-
tion of all subjects.
á Accountability—Determined by being able to audit informa-
tion and attribute actions to individuals.
á Assurance—This is possible by using evaluated hardware and
software that enforces security policy.
á Continuous protection—This is ensured because trusted
mechanisms protect the system and are themselves protected
against tampering and unauthorized changes.
08 078972801x CH06 10/21/02 3:41 PM Page 358
TABLE 6.3
ORANGE BOOK CLASSES
Class Title Description
D Minimal protection Have been evaluated but don’t meet standards for other classes.
C Discretionary protection Need to know protection, accountability of subjects, accountability of actions, and audit.
C1 Discretionary security protection Separation of users and data, enforces access limitations, users use data at the same level of
security.
C2 Controlled access protection More granular, user is more individually accountable, logical procedures, auditing, resource
isolation; security policy enforcement, accountability, assurance. Controls who can log in,
access to resources based on wishes or users, log of user actions.
B Mandatory protection Integration of sensitivity labels, labels used to enforce mandatory access rules, specification of
TCB, reference monitor concept implemented.
B1 Labeled security protection Accurate labeling of exported information.
B2 Structured protection Formal security model, discretionary and mandatory access control extended to all subjects
and objects. Covert channels addressed. TCB has protection critical and non-protection crit-
ical elements, trusted facility management (systems admins and operator functions, configu-
ration management control). System is relatively resistant to penetration.
B3 Security domains Reference monitor must mediate all access of subjects by objects, and is tamperproof.
Unauthorized code is excluded, security policy enforcement, complexity minimized, security
administrator supported, audit expanded, and system recovery are required. System is highly
resistant to tampering.
A Verified Protection
A1 Verified design Functionally equivalent to B3, but verification techniques are used against the formal
security policy. Can give high degree of assurance. TCB is correctly implemented.
Although these criticisms are correct and are the reason that the
newer, international standard, Common Criteria, is now accepted,
you should always remember the climate and status of computing at
the time when this system was developed. It was developed at a time
when computing consisted primarily of mainframe systems used by
government installations and extremely large commercial enterprises.
It was developed by the United States Department of Defense (DoD)
and so primarily addressed needs defined by the DoD. Additional
guides in the Rainbow Series address many of these criticisms.
Rainbow Series
There are some 30 security guides that supplement or explain the
Orange Book. Each book is referred to by the color of its cover.
(There is no significance to the color.) One of the more important
of these guides is the Red Book. This book interprets the TCSEC in
terms of networking. Some other examples of interpretations in the
Rainbow Series are described in Table 6.4.
TABLE 6.4
O T H E R I N T E R P R E TAT I O N S IN THE RAINBOW SERIES
Number Title Common Title Publication Date
CSC-STD–002-85 DoD Password Management Guideline Green Book 4/12/85
CSC-STD-003-85 Computer Security Requirements 0 Guidance for Applying Light Yellow Book 6/25/85
the DoD TCSEC in Specific Environments
CSC-STD-004-85 Technical Rational Behind 003-85 (above) Yellow Book 6/25/85
NCSC-TG-001 Ver 2 A Guide to Understanding Audit in Trusted Systems Tan Book 6/1/88
NCSC-TG-002 Trusted Product Evaluations—A Guide for Vendors Bright Blue Book 6/22/90
NCSC-TG-003 A Guide to Understanding Discretionary Access Control Neon Orange Book 6/30/87
in Trusted Systems
NCSC-TG-004 Glossary of Computer Security Terms Teal Green Book 10/21/88
continues
08 078972801x CH06 10/21/02 3:41 PM Page 360
NCSC-TG-009 Computer Security Subsystem Interpretation of the TCSEC Venice Blue Book 9/16/88
NOTE
Certification A certification is a for-
á Unlike the Orange Book, which concentrates on confidentiali- mal statement confirming the results
ty, ITSEC addresses the triple threat of loss of confidentiality, of an evaluation and confirming that
loss of integrity, and loss of availability. Those familiar with evaluation criteria were correctly
information security dictums will recognize the famous CIA applied. The evaluation is conditional
(confidentiality, integrity, and availability) triad. and is only true when the TOE is con-
figured and used in the manner in
á In the specifications, the Target of Evaluation (TOE) is the which it was evaluated. Certification
product or system to be evaluated. The TOE’s functionality does not endorse the TOE, nor guar-
(can it provide this security function) and Assurance (how do antee its freedom from exploitable
you know it is providing this functionality) are evaluated vulnerabilities.
separately.
á ITSEC does not require the security components of a system
to be isolated into a TCB.
NOTE
CIA Computer security is often
á ITSEC provides for the maintenance of TOE evaluation. defined as the combination of these
Some systems can maintain certification after patches, without three principles: confidentiality, or the
formal revaluation. prevention of unauthorized disclosure
of information; integrity, the prevention
The separation of functionality and assurance is accomplished by of unauthorized modification of infor-
recognizing three objectives of evaluation: mation; and availability, the prevention
of unauthorized withholding of infor-
á Security functions—What is done. mation or resources.
TABLE 6.5
ITSEC L E V E L S
Level Description
EO Inadequate.
E1 Definition of security target and informal architecture design exists,
User/Admin documentation on TOE security. TOE is uniquely identified
and documentation exists which includes delivery, configuration, start-up,
and operations. The evaluator tests the security functions. Secure distribu-
tion methods are utilized.
E2 Informal detailed design and test documentation are produced.
Separation of TOE into security enforcing and other components. Audit
trail of start up and output required. Assessment includes configuration
control, developer’s security and penetration testing for errors.
E3 Source code or hardware drawings must accompany the product, and a
correspondence between design and source code must be shown.
Standard, recognized implementation languages are used. Retesting is
required after correction for errors.
E4 Formal security model. Semi-formal specification for security enforcing
functions, architecture, detailed design. Sufficient testing. TOE and tools
under configuration control. Changes are audited, compiler options
documented. TOE retains security after a restart from failure.
E5 Relationships between security enforcing components are defined in
architectural design. Integration processes and runtime libraries are pro-
vided. Configuration control is possible independently of developer.
Configured, security enforcing or relevant items can be identified. There
is support for variable relationships between them.
COMMON CRITERIA
Describe Common Criteria.
What do you get when you buy a CC (Common Criteria) evaluated
product? These products have been through a level of testing and
confirmation of some of their security strengths. The level of the
evaluation indicates the type of testing done, but you get no
guarantee that this product is free from exploitable vulnerability.
08 078972801x CH06 10/21/02 3:41 PM Page 363
If the first two questions are true, and the final one is satisfactory,
you must still remember that the successful evaluation is only a mea-
sure of the extent to which security has been assessed. Keep this in
mind as you study the Common Criteria.
Keeping Current The Version of the Criteria in England, it does not need to be tested in the United
Common Criteria reviewed here is ver- States.
sion 2.1, a version produced to align
it to ISO/EEC 15408:1999, which can The Common Criteria is divided into three parts:
be downloaded from http://
á Part 1: Introduction and General Model—General concepts,
csrc.nist.gov/cc/ccv20/
principles of IT security evaluation, high-level specification
ccv2list.htm or http://
www.commoncriteria.org/cc/cc.html.
writing, usefulness for target audiences. Good background and
Additional associated modules, items reference for consumers.
that deal with areas not covered in á Part 2: Security Functional Requirements—Functional
the initial evaluation such as how to requirements, components, Targets of Evaluation (TOEs);
deal with flaws discovered in certified
good for guidance and references consumers can use to formu-
products, are also available from the
late requirements for security functions.
Web site.
á Part 3: Security Assurance—Assurance requirement for
TOE’s and evaluation criteria for Protection Profiles and
Security Targets. Guides consumers on required levels of assur-
NOTE
á www.cesg.gov.uk/cchtml/ippr/list_by_type.html
á csrc.nist.gov/cc/pp/pplist.htm
R E V I E W B R E A K
A Comparison of the Orange Book,
ITSEC, and Common Criteria
Table 6.6 lists the various classes or levels of Orange Book, ITSEC,
and CC in a way that allows easy comparison. This model should
serve as a reference to help those familiar with earlier evaluation or
certification criteria. It does not mean that a one-to-one correspon-
dence exists between every stitch at each level. It is more useful as an
aid for those security professionals who are getting started with CC,
rather than as a direct comparison tool.
TABLE 6.6
S TA N D A R D S C O M PA R I S O N
Common Criteria
Evaluation
Orange Book TCSEC ITSEC Assurance Level
D Minimal Protection E0 EAL0
EAL1
C1 Discretionary Security Protection (discretionary access control, identification F1+E1 EAL2
and authentication, system architecture, system integrity, security testing,
documentation)
C2 Controlled Access Protection (object reuse, and audit) F2+E2 EAL3
B1 Labeled Security Protection (labeling, label integrity, design verification) F3+E3 EAL4
B2 Structured Protection (covert channel, device labels, subject sensitivity F4+E4 EAL5
labels, trusted path, trusted facility management, configuration management)
B3 Security Domains (intrusion detection; security administrator role definition) F5+E5 EAL6
A1 Verified Design (verified design, more documented version of B, trusted F6+E6 EAL7
distribution)
IPSEC
Describe the Internet Protocol Security (IPSec) standard.
The Internet Protocol Security standard (IPSec) is an IETF standard
that describes a communications protocol that can be implemented.
08 078972801x CH06 10/21/02 3:41 PM Page 371
TCP/IP, the original protocol developed for the Internet, and now
the primary protocol for internal communications within IT net-
works and across WAN links, was not designed with security in
mind. The protocol was developed with the goals of guaranteed
connectivity and availability.
IP Security was originally designed for the future implementation of
the Internet Protocol, IPv6, but is now specified for the current ver-
sion of IP, IPv4, as well. Numerous implementations exist including
built-in and add-on functionality for routers and firewalls, as well as
packages for client computers. In addition, all versions of Windows
2000, Windows XP Professional and Windows .NET operating
systems have built in IPSec capability.
C A S E S T U DY : C2 AND W I N D O W S NT
ESSENCE OF THE CASE SCENARIO
Three issues are at work here: Windows NT 3.51 was evaluated at the C2 level
some years ago, and yet its networking compo-
. First, a security evaluation should match
nents were not evaluated. A C2 tool was included
the intended use of the product.
with the Windows NT Resource Kit. Administrators
. Second, administrators should not run wanting to have secured systems used the tool.
tools without understanding what they When run, the tool configured the Windows NT sys-
will do to systems. Adequate documenta- tem to meet the C2 requirements as established in
tion explained the C2 certification for the evaluation. I think you can guess what hap-
Windows NT 3.51 and should have alert- pened. When the unwary administrator used the
ed all but the clueless administrator as tool, networking components were removed and the
to what might happen when the tool is system became compliant with the specifications
applied. as evaluated, but was useless on the network.
Moreover, since the administrator made no effort to
understand exactly what the tool was doing, his
troubleshooting efforts were compounded.
continues
08 078972801x CH06 10/21/02 3:41 PM Page 374
C A S E S T U DY : C2 AND W I N D O W S NT
continued
CHAPTER SUMMARY
This chapter covered various security architecture topics, from the
KEY TERMS
design of access control, to the evaluation of computing systems by
• Assurance
international standards. Additionally, a communications protocol
standard was introduced from the perspective of security architecture • Bell-LaPadula model
suitable for network communications. Understanding security archi- • Biba Model
tecture may just be the lynch pin of future secure computing efforts.
Because it is impossible to anticipate future attack substance, those • Channel
responsible for IT security must return to the philosophy of securing • Clark-Wilson model
systems first with known security practices, and then later in • Clearance
response to attacks which cannot be met by them.
• Closed system
• Common Criteria
• Compartmentalization
• Covert channel
• Covert storage channel
• Covert timing channel
• Discretionary access control (DAC)
• Discretionary security protection
• Evaluation assurance level (EAL)
• Execution domain
• Export of labeled information
• Formal security model
• Formal verification
• Information label
• ITSEC
• Labeling
• Layering
• Abstraction
• Process isolation
• Least privilege
• Resource access control
08 078972801x CH06 10/21/02 3:41 PM Page 376
CHAPTER SUMMARY
A P P LY Y O U R K N O W L E D G E
Exercises All components of the security subsystem track security
policies and accounts in use on the system. Accounts in
6.1 Real-World Security Architecture a domain are stored in the Active Directory, whereas
Evaluation local system accounts are stored in the Security
Accounts Manager (SAM).
Estimated Time: 30 minutes
1. Find a real-world example of a security architec-
ture system that is in place and describe it. Review Questions
2. Compare your assessment to the Windows 2000 1. How have past differences in public versus gov-
assessment provided here. ernment requirements for security architecture
The Windows 2000 security architecture is composed affected evaluation criteria and security models
of the following components: that are in use today?
á Local Security Authority—A protected sub- 2. Compare the management of integrity by the
system which maintains information about local Biba and Clark-Wilson models.
security for a system. It also provides translation 3. What is a reference monitor and why is it
between names and identifiers, provides inter- important?
active authentication services, generates access
4. Describe the difference between an open and a
tokens, and manages the audit policy and
closed system.
settings.
5. Explain domain separation.
á Net Logon Service—Passes user credentials to
the domain controller through a secure channel 6. List possible uses for IPSec.
and returns domain SIDs and user rights.
7. What does the common criteria not address?
Maintains that channel.
á Security Accounts Manager Service—The ser-
vice that enforces local security policies.
Exam Questions
á Security Reference Monitor—Arbitrates access
control on the system. User credentials must 1. You apply the specified C2 level configurations to
match the access control lists assigned to all of your Windows NT 4.0 Workstation and
resources in order to use them. Servers. You now have
A P P LY Y O U R K N O W L E D G E
2. Which security model addresses only C. Covert channels
confidentiality?
D. Configuration management control
A. Bell-LaPadula
7. The ITSEC security architecture addresses what?
B. Biba
A. Confidentiality
C. Clark-Wilson
B. Assurance, confidentiality, integrity, and avail-
D. Access control lists ability
3. A flaw that allows an object with legitimate access to C. Confidentiality, integrity, and availability
information to transfer the information in a manner
D. Integrity
that violates system security policy is a what?
8. A document that describes security requirements
A. Limited access mode
and indicates the security problem that the TOE
B. Backdoor will solve is the what?
C. Multi-level access system A. Security target
D. Covert channel B. The protection profile
4. The certification emphasis of TCSEC is C. A security functional requirement
A. Confidentiality D. Covert channel
B. Availability 9. IPSec is composed of which two subprotocols?
C. Integrity A. AH and ESP
D. Least Privilege B. TCP and IP
5. The B level of TCSEC certification is important C. FTP and TCP
because it is at this level that the concept of
D. FTP and IP
____ is introduced.
A. Auditing
B. Accountability Answers to Review Questions
C. Labels 1. Government requirements for security have been
D. Separation of users and data centered around confidentiality. Therefore, many
of the early security models (Bell-LaPadula) and
6. The C2 level of TCSEC certification is important architecture (TCSEC) have had confidentiality as
because it is at this level that the requirement for their major emphasis. See the “Requirements for
_______ is introduced. Security Architecture and Models” section for
A. Auditing more information.
B. Labels
08 078972801x CH06 10/21/02 3:41 PM Page 379
A P P LY Y O U R K N O W L E D G E
2. The Clark-Wilson Model is directed towards 7. Common Criteria does not address issues of elec-
commercial enterprise versus the government tromagnetic control, procedures for accreditation,
focus of Biba. Thus Biba focuses on a lattice of or for assessment of cryptographic algorithms.
integrity and a no write up and no read down See the section “Areas Not Addressed by the
model whereas Clark-Wilson focuses on software Common Criteria” for more information.
engineering concepts such as abstract data types,
separation of privilege, allocation of least privi-
leges, and non-discretionary access controls. It
also addresses the issues of authorized users mak- Answers to Exam Questions
ing modifications they are not authorized to do, 1. C. Applying the steps to configure an evaluated
and preventing unauthorized user from making computer to the level at which it has been evalu-
modifications. See the “Security Models” section ated only does that—configure it to the same
for more information. level it was evaluated at. To have an accredited
3. A reference monitor is an abstract concept that site, you must obtain accreditation from an
stands for the arbitration of access to resources. It accreditation body. See the case study and the
is important because it is one of the requirements “TSCEC: The Orange Book and the Rainbow
of secure systems. See the “Reference Monitor” Series” section for more information.
section for more information. 2. A. The Bell-LaPadula security model only
4. An open system gives all users administrative addresses issues of confidentiality. See the “Bell-
level access. It also uses standard user interfaces. LaPadula” section for more information.
A closed system is totally secure. It does not use 3. D. A back door is a planned access channel to a
standard user interfaces. See the “Open Versus system. Multi-level and limited access modes are
Closed Systems” section for more information. specific operational modes that a system may
5. Domain separation is a function of the system have. See the “Covert Channel” section for more
design. It means that functions are grouped information.
according to their purpose and need to access each 4. A. TCSEC does not address availability, integrity
other and defined resources. This grouping is or least privilege. See section “TCSEC: the
called a domain of that function. Domain access Orange Book and the Rainbow Series” for more
is restricted. For example the user functions do information.
not need to access the kernel, so they are not
allowed to access that domain. See the “Security 5. C. The other three are introduced in level B. See
Architecture” section for more information. the “Orange Book Classifications” section for
more information.
6. IPSec can be used for confidentiality, data origin
authentication, protection against replay, mutual 6. A. The others are addressed at level 2. See the
authentication, integrity, and access control. See TCSEC: The Orange Book and the Rainbow
the section “Uses for IPSec” for more information. Series” section for more information.
08 078972801x CH06 10/21/02 3:41 PM Page 380
A P P LY Y O U R K N O W L E D G E
7. B. All these issues are addressed in the standard. 9. A. AH and ESP is the correct answer. TCP and
See the “Differences between the Orange Book IP are components in TCP/IP, FTP is the File
and the ITSEC” section for more information. Transfer Protocol. See the section “Architectural
Components of IPSec” for more information.
8. B. The protection profile (PP) is the answer. The
security target defines the evaluation criteria that
should be met. Security functional requirements
are the individual classes defined in section 2
and covert channels are defined earlier. See the
“Part 1: Introduction and General Model”
section for more information.
OBJECTIVES
7
risk. Next, we can select countermeasures, or ways to
prevent or mitigate the risk that threats will succeed.
C H A P T E R
Operations Security
09 078972801x CH07 10/21/02 3:38 PM Page 382
OBJECTIVES
Explain how audit and monitoring can be used Define operations security concepts and
as operations security tools. describe operations security best practices.
• Explain how audit logs can be used to moni- • Explain antivirus controls and provisions for
tor activity and detect intrusions. secure email.
• Discuss intrusion detection. • Explain the purpose of data backup.
• Explain penetration testing techniques. • Detail how sensitive information should be
handled.
. Security is not something you do when it pleases
you. It is not simply hardening systems (a process • Describe how media should be handled.
of removing unnecessary elements and configuring
. Although all operations should be scrutinized to
others to make the system as secure as possible),
determine the policies and procedures that will best
applying patching, and configuring a firewall.
keep them secure, several concepts are so key to sur-
Security is a continual process. One part of the
vival that they need specific mention:
process is monitoring for abnormal events, unap-
proved changes, and other potential symptoms of • Email has become a mission critical operation;
attack. Three primary methods of monitoring are every procedure possible should be used to keep
audit (are things as they should be?), intrusion it secure.
detection (is somebody attempting to steal or • Backup remains the one consistent recovery strat-
change things?), and penetration testing (can a egy. Without a solid backup plan, every organiza-
friendly force get past your security?). tion’s data is at the mercy of a hardware glitch or
environmental disaster.
Define the role of Administrative management • Sensitive information requires special handling,
in operations security. but does everyone agree on what information is
sensitive?
. Security officers are not the only ones who should
• Media (tapes, discs) is not indestructible. How
be involved in keeping operations secure; each
can you ensure that the media you use will keep
employee has a role to play. Management, however,
your data safe?
has a special, key part to perform. Management
must be the lynchpin, the element that both con-
nects the activities of others and holds the parts in
place. Three management roles that impact security
are policy, employee supervision, and expenditure
approval.
09 078972801x CH07 10/21/02 3:38 PM Page 383
OUTLINE
The Roles of Auditing and Monitoring 395 Concepts and Best Practices 420
Using Logs to Audit Activity and Detect Privileged Operation Functions 421
Intrusion 396
Understanding Antiviral Controls 423
Detecting Intrusions 399
Protecting Sensitive Information and
Penetration Testing Techniques 403 Media 425
Change Management Control 427
Developing Countermeasures to
Threats 408
Chapter Summary 430
Risk Analysis 408
Threats 409
Apply Your Knowledge 432
Countermeasures 411
09 078972801x CH07 10/21/02 3:38 PM Page 384
S T U DY S T R AT E G I E S
. Operations security covers a lot of ground. From . Whatever your current job description, whatever
management of equipment to management of your background, use your knowledge of this
people, the topics it relates to have no end. domain to do two things:
One of the challenges of understanding this • First, see what you can determine about
broad topic is its reliance on the underlying operations security at your organization. If
technology. Concepts and best practices will you aren’t working in a directly related area,
not make sense if you do not understand how don’t be surprise if you can’t find out much.
computers, networks, programs, data centers, Good operations security is transparent;
and businesses work. If you do not already that is, it reveals little about the specifics
have some experience with them, try to find of its activities.
someone who does and ask them to help you
• Second, operations security principles can
understand. Spending some time with Chapter
be applied to things other than computer
2, “Telecommunications and Network Security,”
operations. Military organizations have long
will help as well.
used these principles to improve their
. If your background is not in technology, master- prospects of success. Practice these princi-
ing the material in the domains of Security ples on your activities on the Internet. What
Management, Telecommunications and can someone learn about you while you’re
Networking Security, Disaster Recovery and online? How might that be used to their
Business Continuity, and Application and advantage? What can you do to diminish
Systems Development is essential. Study them the amount of information that can be
first, and this chapter will be easier. If your gleaned from your activities?
background is technical, do not be frustrated by
the light treatment of technical content here.
Operations security is more concerned with the
big picture than with the intimated details of
how to configure or code.
09 078972801x CH07 10/21/02 3:38 PM Page 385
INTRODUCTION
Operations security is the combination of two practices. It is the
implementation of sound security principles and the gleeful applica-
tion of a paranoiac viewpoint to day-to-day operations.
There are many lists and papers that discuss the how and why of
hardening systems and securing data. We know, in general, the steps
we need to take to secure our data, our systems and our network.
We can provide reams of documentation that detail how to best
handle tapes; keep dirt and dust out of the data center; avoid con-
flict of interest; reduce opportunities for fraud, embezzlement, and
espionage; and secure OSes, applications, and hardware. This general
security takes us a long way. But it is the second practice, the activity
which stems from seeing through the eyes of the enemy and operat-
ing as if “everyone’s out to get me” that moves security beyond the
static application of practice to the daily strengthening of defenses.
09 078972801x CH07 10/21/02 3:38 PM Page 386
Imagine you live in ancient times. Imagine you are a king out to
conquer the world. You are not content to wait for your enemies to
attack, but you are not willing to advance without knowledge of the
enemies’ strengths, weaknesses, and plans. Daily, you send spies to
reconnoiter the territory, and daily you torture the captured to dis-
cover information about your enemy. You spend endless hours
sketching his operations. How many horse soldiers does he have,
and how many pikemen? Can his defenses stand up to your batter-
ing ram or catapult? Did your last attack deplete his forces, or are
reinforcements close by?
One of your spies returns with the details of your enemies’ defenses.
Buckets of boiling oil await your next attempt at climbing the outer
walls. The drawbridge is up and archers man the slits in the wall.
Beneath the deep, dark waters of the moat lurk strange animals that
occasionally break the surface with a fin or scaled side.
Suddenly, your reverie halts. Your body stiffens, recognition dawns.
Your enemy must be studying you, as you study him. What actions
might your troops be performing that give away your defenses,
intentions, and vulnerabilities? Subtly, quietly, you change your
modus operandi to mask what you are about.
In this way, operations security, or OPSEC, was born. OPSEC is the
practice of looking at your sensitive operations through the eyes of
your enemy and developing your security practices so he sees noth-
ing. This natural complement to defensive measures has long been a
practice of the military. Because you are concerned with computer
security I will describe this process by looking at computer opera-
tions. However, OPSEC could be applied to all business operations,
whether or not they include the use of computers.
To protect both data and computer operations, operations security
must be strong in both general security and the practice of OPSEC.
Organizations must follow the military practice: Develop a strong
defense based on current knowledge, and improve those defenses by
scrutinizing operations from the perspective of the enemy. This
chapter explains how to achieve both approaches.
09 078972801x CH07 10/21/02 3:38 PM Page 387
NOTE
á Operational controls—These are day to day procedures, Pound. Pound. Pound. Do you
mechanisms that include physical and environmental protec- remember the commercial advertising
one telecommunications company’s
tion, privileged entry commands, change control management,
ability to bill for time periods of less
hardware controls, and input and output controls.
than a minute? In the commercial, a
á Audit and variance detection controls—These are audit logs gum-smacking grocery clerk weighed
that contain information on the exercise of privilege and/or every vegetable or part of the veg-
records of system activity. Variance detection products detect etable as one pound and charged
and can send alerts when unusual activities occur. Intrusion accordingly. I had a similar experience
recently. I filled my shopping cart with
detection systems fall into this category, as do special programs
vegetables and fruits. During check-
such as Jammer and Tripwire, both of which record changes to
out, I typically pack sacks instead of
file systems and operating system configuration databases.
observing the clerks operations. This
á Application software maintenance controls—These controls grocery had an automatic scale. The
monitor installation and updates to applications, and they clerk has only to place the produce on
keep a record of changes. the scale and punch in the unique
code. The cash register does the
á Technical controls—These controls audit and journal integri- math and adds it to your bill.
ty validations, such as checksums, authentication, and file sys-
At one point the clerk remarked, “Boy,
tem permissions.
that’s an expensive mushroom!” I had
á Administrative or management controls—These control placed a single Portobello mushroom
personnel screening, separation of duties, rotation of duties, ($5.99/lb) in my cart. It weighed
and least privilege. about 1/2 lb. The price on the read-
out was $17.97. Long story short, the
scale was broken and was weighing
Input and output controls protect computers and applications by
every fruit or vegetable as if it
monitoring and rejecting or accepting data at these entrance and exit
weighed three pounds! Management
points. The infamous buffer overflow is a good example of the prob-
was apologetic and for my troubles
lems that occur when poor input controls exist. Although a more gave me all my fruits and vegetables
complete discussion can be found in the Application and System free. In short, the clerk served as an
Development domain, it’s important to note two things. First, output control. She saw something
a buffer overflow results when too much data is passed into a pro- out of the ordinary and called the
gram or part of a program. It’s the technology equivalent of having entire operation into question.
too much to eat or drink with the same unpredictable results.
09 078972801x CH07 10/21/02 3:38 PM Page 390
R E V I E W B R E A K
Control Types
I’m sure you can come up with specific controls you might have
implemented in the past, but can you then take each control and
map it to the control types mentioned previously? Table 7.1 groups
similar controls and identifies their type.
TABLE 7.1
CONTROL TYPES
PC Control Control Types from Different Schemas
Requiring passwords for access, Technical Preventative
requiring biometrics for authentication
Disk locks Technical Preventative
Acceptable use policies, requiring Operational Preventative
virus check of portable media
Checking for compliance Audit and Corrective
variance detection
Using antiviral software Technical Preventative
Requiring file encryption Technical Preventative
Training in controls Management Preventative
Requiring that help desk or IT Management Preventative
staff, not users, configure PCs
Software code audit looking for Technical Input, output
buffer overflows
Loading a personal firewall/IDS system Technical Detective
Tip-off indicators provide focus for the attacker by telling him where
to concentrate his efforts. These might be an increased volume of
visitors, increase in activity, arrival of important staff, the use of par-
ticular acronyms, and so forth. Tip-off indicators can also be techni-
cal in nature, such as the ability to determine the operating system
of Web server type in use. For example, the ability to determine that
a Web server is Microsoft IIS allows an attacker to select IIS-specific
attacks. Another type of tip-off indicator might alert a potential
attacker of your countermeasures to his attack, which would then
allow him to develop countermeasures to your countermeasures. To
learn more about indicators, check out this article at the Central
Florida Industrial Security Awareness Council Web site:
www.cfisac.org/resource/OPSEC%20Indicators.
IN THE FIELD
I’m not going to provide you with the URL where I found this informa-
tion, but I think its important to realize such information can readily
be found on the Internet with little effort. Recently I was searching
for something totally unrelated when I found a reference to some
interesting ISP data. The keywords password and policy caught my
attention. The link did not produce results, but the cached pages
were still available from the search engine. Here’s what I found:
• Descriptions of internal security measures
• How access for internal users could be obtained
• Copies of the forms used to request access to a customer
mailbox and the procedure used to do so
• Names of members of the help team and what they had
control over
• Who was responsible for maintaining account access
• Phone numbers for the security response center (this was
advertised as the place for employees to go to reset pass-
words)
This, obviously, is not information that should be exposed on the
Internet. Information like this could enable an attacker to impersonate
an employee and possibly obtain access to confidential information.
By the way, the information is now also removed from the cache.
09 078972801x CH07 10/21/02 3:38 PM Page 395
FIGURE 7.1
Audit logs present information related to securi-
ty activity.
Table 7.2 lists the typical information found in logs, the type of log
the information is found in, and how it might be used for auditing
or intrusion detection purposes.
TABLE 7.2
W I N D O W S 2000 L O G S
Information Log Type Discussion
Record of system start up, normal shut down, and System Many attacks require physical access to the computer console and
nonstandard shut down the ability to access maintenance modes or to boot to different
OSes. Matching system shut down and start up to recorded main-
tenance events can reveal the existence of compromise attempts
(or successes). Knowing that a system has been rebooted should
trigger further investigation. In the mainframe world, start up is
called Initial Program Load (IPL). An unscheduled IPL might also
be evidence of an attack.
continues
09 078972801x CH07 10/21/02 3:38 PM Page 398
Failed logon Security Can be symptomatic of a user who has forgotten her password, or
it might record an attempt to break into an account.
Detecting Intrusions
Intrusion detection is a technique used to identify intrusion attempts
at and successful intrusions into a network or host machine. To
understand intrusion detection techniques you must learn a little
about how information from one computer travels to another. Just
as voice communication over a telephone requires a conversion from
words recognizable to the human ear to electric patterns that can
flow across a wire, so data which can be viewed through application
interfaces on a computing system must be modified for transmis-
sion. It must be changed into electronic signals that can travel
between computer network interfaces and eventually reformed into
data that can be used by the computer or by a human viewing the
data through applications that reside on it.
Just as the destination computer can translate the data into a mean-
ingful form to humans, the data traveling between computers can be
captured and its patterns analyzed to determine its meaning. This
can be useful to administrators who are troubleshooting, but it is
also useful to attackers looking for information.
Various network monitors, intrusion detection devices, sniffers, and
protocol filters can be purchased and run to collect or capture the
data traversing the network. The data can then be analyzed.
Hardware-based analyzers are attached to the network to listen to
all communications. Software-based sniffers run on normal PCs.
Because a PC normally only pays attention to data meant for it, the
software-based sniffer alters the normal mode of the network inter-
face card in the computer to “listen” to all the data on the network.
The collected data is called a capture. This new mode of the network
interface card is called promiscuous mode.
Figure 7.2 is a capture taken with Microsoft’s Network Monitor. The
screen is divided into three sections. In the top section, all captured
packets are listed. The highlighted packet is expanded in the middle
section. Each + represents an area of information that can be
expanded.
09 078972801x CH07 10/21/02 3:38 PM Page 400
FIGURE 7.2
Information gathering using Network Monitor.
Packet analyzers, monitors and sniffers can also be used for good. In
addition to providing an excellent resource for troubleshooting net-
work problems, the data can reveal attacks. If a malicious person is
attempting an attack, capturing and analyzing packets on your net-
work can help you determine what is occurring or what has
occurred. An experienced person can also determine exactly what the
attacker was attempting and whether or not she was successful. This
is known as intrusion detection.
Intrusion detection is accomplished by extracting data and by the
recognition of traffic and traffic patterns. Trained individuals can take
the raw data produced by a network sniffer and deduce what is hap-
pening. Likewise, modern intrusion detection systems (IDSs) and
applications attempt to take this knowledge and provide automatic
alerting and even action based on programmatic analyses of events and
the discovery of inappropriate, unusual, or incorrect activity. Some
IDSs also use information from computer logs. Many IDS products
exist. In fact, David Sobirey lists over 90 intrusion detection systems on
his Web site at http://www-rnks.informatik.tu-cottbus.de/
~sobirey/ids.html. Some of the more recognizable commercial prod-
ucts include BlackICE (http://www.iss.net/products_services/
hsoffice_protection/), Cisco Secure IDS (http://www.cisco.com/
warp/public/cc/pd/sqsw/sqidsz/prodlit/netra_ds.htm), eTrust
Intrusion Detection (http://www3.ca.com/Solutions/
Product.asp?ID=163), Network Flight Recorder (NFR)
(http://www.nfr.net/), Real Secure (http://www.iss.net), Shadow
(http://www.nswc.navy.mil/ISSEC/CID/), and more than one free
product, such as Snort available at www.snort.org.
Two types of IDSs exist: host and network. A host-based IDS
requires loading software on the host machine. The software listens
to traffic coming to and going from its host machine. It can also
take advantage of information in the computer’s logs and monitor
the integrity of the file system for a broader picture of changes and
attempted changes that might mean an intrusion attempt is in
process or has occurred. To be effective, the host IDS software
should be loaded on every computer. Host intrusion detection sys-
tems are considered more effective in detecting insider-based attacks.
A network-based IDS analyzes all traffic on the network. A central
management station usually manages the information gathered
by the host and network IDSs. Figure 7.3 diagrams this concept. In
the figure, you can see the multiple RealSecure server sensors and
the Manager Console.
09 078972801x CH07 10/21/02 3:38 PM Page 402
R&D
Internet
Finance
Human Systems
Resources Management
Trusted
Third Party
RealSecure Server Sensor
Web Server Pool
RealSecure Network Sensor
NOTE
on attack signature recognition (the matching of known attack patterns Clipping Level Is Not Just for IDSs
with incoming data) and must be tuned and updated. A good IDS Clipping level is a useful concept for
will provide an update service so that new attack signatures can be more than IDSs and often indicates the
level at which errors become more than
added. One of the tuning mechanisms is the capability to set the
accidental. Many common occurrences
number of errors or instances of unusual activity that will cause an
can be an indication of an attack, or
alarm. This is called setting the clipping level. For example, any sys- the result of human error. When is a
tem exposed to the Internet is subject to random port scans; in fact, failed logon an indication of password
it has become so common that we can almost liken it to the exis- guessing or cracking in progress? How
tence of background radiation. If an IDS were to alarm on every many visits to porn sites should be
scan, not much other work would get done, and administrators considered a violation of acceptable
would probably begin to ignore alarms. Setting a clipping level at use rules? Can a single attempt to
some number of scans over the ordinary will provide warning when read a sensitive file be a reason for
the normal background scanning has risen—perhaps indicating an investigation? All these occurrences
attack directed at the network. can be the results of simple errors.
In addition to packet inspection-based intrusion detection systems, If employees John and Sally have trou-
ble remembering their passwords, but
many products such as AXENT, Tripwire, and Cybersafe, provide
most other employees do not have this
unique host-based functions such as monitoring file system integrity
problem, and dozens of failed logons
and recognition of user access changes. are recorded in the logs, something is
obviously going on. A number of porno-
graphic sites delight in having domain
Penetration Testing Techniques names similar to popular sites.
Occasional hits on these sites should
To defend the network against attack, you should not only be aware not result in an arrest warrant.
of generalized system hardening techniques, but you should also However, if a particular file contains
understand typical penetration (pen) testing techniques. In other sensitive information and is difficult to
words, you must study common scenarios to obtain information access, even a single failed read can
about the network and common attack techniques. Please note: I be cause for alarm. All these items and
did not say you should use this knowledge to attack a system. more can have dual meanings. Setting
Although pen testing of your own network can gain valuable insight a clipping level will help you avoid over-
into its vulnerabilities so that you can patch them, even this type of reaction.
attack should not be done without written permission from the Setting a clipping level has a downside
highest level of management possible, and it must be carried out by as well. Intruders know about clipping
experienced personnel. Penetration testing is by definition intrusive, levels and will seek to slowly attack
and some tools can harm systems. The object of ethical hacking, or your system, hoping to remain beneath
the use of hacking tools to find vulnerabilities and patch them, is to your “radar” to eventually break into
secure networks, not to destroy them. your system.
STEP BY STEP
7.1 Penetration Testing
1. Determine the target. If your purpose is to gain notoriety,
pick a very large and very public organization with a name
that everyone recognizes. However, because that company
probably has the best intrusion detection and security
defenses and most knowledgeable administrators, you
might want to pick a large company, not necessarily the
biggest or most well known.
2. Footprint or profile. If possible, plant someone inside the
targeted company and use social engineering techniques to
obtain insider information. Low-level employees, such as
janitors, guards, and other service personnel can plant
bugs, steal documents, and social engineer information.
Perhaps they can shoulder-surf and memorize a password
being typed in or find passwords pasted to monitors or
under keyboards.
In addition, use the Internet and other publicly available
information (such as newspapers and magazine articles)
about the company and its computing systems. Often the
company will publish an amazing amount of useful infor-
mation on its Web site, such as the location of data cen-
ters, new processing systems in place, and the names of
software programs used. The Web site can indicate which
type of Web server is in use. Searching the company’s
product information can also reveal information. If the
company develops software products for IBM’s AIX, it’s a
pretty sure bet that a large percentage of their internal
servers, and maybe their Web server, are AIX as well.
White papers, success stories, and partner lists can reveal
what products your target is using and even the cities
where they are deployed. SEC databases, employee pro-
files, and Usenet membership can provide useful informa-
tion.
09 078972801x CH07 10/21/02 3:38 PM Page 405
FIGURE 7.4
Using Whois to find the IP address of the Web
server.
continues
09 078972801x CH07 10/21/02 3:38 PM Page 406
continued
FIGURE 7.5
Using ARIN Whois to enumerate the network.
NOTE
NOTE
continued
5. OS Enumeration. Scanning can also find other informa-
tion. Many services when they receive a connection Use the American Registry for Internet
request, issue a banner, or string of information. It can Numbers (ARIN) (http://
include the name of the service as well as the operating www.arin.net/whois/index.html)
system version. Port scanners can return this information. whois tool to determine the IP address
block assignment for a company (see
In addition, a telnet client can be used. Directing the tel-
Figure 7.5). Entering one known IP
net client at a port commonly used for a particular service address in the whois tool returns the
will usually display the returned banner. range of addresses assigned to a par-
Another tool that can determine the OS (and other infor- ticular domain. These will be routable
Internet addresses, which means if
mation) is netcat (Unix and Windows versions are avail-
they are assigned to an Internet-
able from http://www.atstake.com/research/tools/ connected computer, they are reach-
#forensic). Knowing the name of the Web server or oper- able and attackable from the Internet.
ating system allows a directed attack using knowledge of a Note that an address might be
vulnerability associated with that operating system or ser- assigned, but might not represent an
vice. The process of seeking this information from the Internet-connected computer. You
information provided is banner grabbing. OS might also have to use Arin’s counter-
fingerprinting can also be accomplished due to subtle dif- part to obtain this kind of information.
ferences in the responses of different TCP/IP implementa- For Europe, use
tion, and by common Web page extensions. The existence http://www.ripe.net/ripencc/
of a page called Mywebpag.asp, for example would identi- pub-services/db/whois/whois.html.
stored locally? Are there links to databases? document outlines how a team of well-
heeled and knowledgeable hackers
could succeed in this attack. The step-
by-step account is logical, believable,
and chilling.
09 078972801x CH07 10/21/02 3:38 PM Page 408
DEVELOPING COUNTERMEASURES TO
THREATS
Define threats and countermeasures.
The way to eliminate or mitigate risk is to develop and follow coun-
termeasures for each identified threat to information systems. It
sounds so simple, doesn’t it? What complicates this seemingly
straightforward approach to security is the existence of multiple
threats and their continually changing nature. Threats that yesterday
were considered unlikely are now possible. Some threats seem to
have little risk, and therefore companies are less likely to apply the
countermeasure if costly or inconvenient. Not all that long ago,
although airlines recognized the threat of airplane hijacking, they felt
the inconvenience of applying extra countermeasures outweighed the
slight risk. 9/11 changed that, and since then we have seen increased
vigilance and security measures at all U.S. airports.
Risk analysis determines which threats require development and
implementation of countermeasures.
Risk Analysis
The process of risk analysis is used to determine whether threats to
systems will result in damage. An analysis of vulnerability and possi-
bility determines how great the risk might be. Risk analysis often
results in a ranking of threats from those most likely to those least
likely to cause damage. This ranking then determines the expendi-
ture of resources including money and staff in a direct proportion to
the level of risk. Two methods are used:
á Quantitative risk analysis—Involves multiplying the proba-
bility that an event will occur times the monetary loss. Typical
formulas used are Annual Loss Expectancy (ALE) and
Expected Annual Cost (EAC). This process is difficult (because
it’s difficult to figure out what the reliable probabilities are)
and time-consuming. Automated commercial products, which
do the calculations for you and even recommend risks to
quantify, are available.
09 078972801x CH07 10/21/02 3:38 PM Page 409
Threats
Risk analysis is conducted on and countermeasures are developed for
perceived threats. Table 7.3 lists common information system threats
and describes examples.
TABLE 7.3
C O M M O N I N F O R M AT I O N S Y S T E M T H R E AT S
Threat Notes Example
Errors Incorrect passwords configuration. Default, well-known are not changed.
Omission Patches are not applied. Patches for IIS were not applied and many IIS servers
were infected with Code Red.
Fraud Company assets are obtained by misrepresentation, or Paycheck amounts increased by claiming overtime
modification of information. hours not worked, customer records stolen, or soft-
ware taken by employees for home use.
Misuse of information Sensitive, private information is used for personal gain. Use of earnings knowledge used to buy or sell shares
(insider trading).
Employee sabotage Employee uses knowledge of company operations Time bombed code loaded on servers by
and systems to destroy or damage. administrator destroys data the day after the employee
is fired.
Ignoring policy Employees know the rules but do not obey. Accidents caused by not following safety rules.
Accidental destruction of data backup by leaving tapes
in the trunk of a parked car during a summer heat
wave when policy states immediate transport in air
conditioned vehicle.
Physical accidents These are the result of physical circumstances as Electric shock, moving parts of printers.
opposed to system malfunction, or inadvertent
misuse of the system.
Software malfunction Bugs or security vulnerabilities. Buffer overflow causes reboot or leaves the system
open to compromise.
continues
09 078972801x CH07 10/21/02 3:38 PM Page 410
Malicious code Code is run on system with undesirable results. Code Red, Nimda, I Love You, and so forth.
TABLE 7.4
E M P L OY E E J O B D U T I E S , A C C E S S L E V E L , AND RISK
Job Description Access Level Risk
Computer operator Do backups, run jobs, mount tapes, load Console, tape/disk drives, Gains access to production data
paper in printers, record, report problems, printers, operations files, production maintenance, and
operate with devices, software products, documentation, problem/ job control, program documentation;
system performance metering, heat control, change management system turns off logging (can lose audit trail)
humidity controls potential loss of system records due to
not enough roomon media
Operations analyst Analyzes computer memory and hardware Test files, operation Access to production data files and
requirements; estimates use of disk and tape, documentation, system production application programs
performance; advises on operations performance reports
documentation; establishes backup, recovery
procedures; monitors service level agreements;
installs new hardware and telecommunications;
replaces obsolete items, and troubleshoots
Job control analyst Job control language; assists application Test job control files, job Access to production data files,
programmers; reviews production problems scheduling files, operations application programs, and job
using problem change management process; documentation, problem/ control files
tests and implements new features; and change management system
assists in product troubleshooting
09 078972801x CH07 10/21/02 3:38 PM Page 411
Production Plans, creates, and coordinates computer Job scheduling files, operations Access to production files, data files,
scheduler processing schedules for production jobs documentation, problem/ production application programs, and
and job streams; consults with end users change management system job control files
and application programmers concerning
production schedules; completes ad hoc jobs;
reviews results in comparison to planned
schedules; and updates and issues monthly
billing schedules
Production Printing, balancing, distribution of reports Computer equipment, supplies Delivers reports to wrong individuals,
control analyst and records, manages printer, burster, and and reports, and problem/ theft of supplies
decollator, balances required reports, assists change management system
production scheduler, and performs inventory
counts and computer supplies
Tape librarian Collects input tapes; sends/receives tapes from Automated tape library, Production data files, application
off-site storage; maintains tapes and cartridges; problem change management programs, and job control files
ensures adequate supply, tape storage, and system
vault; ensures critical backup; pulls historical
files and stores at local tape vault or ships to
offsite location; maintains logs; and controls
physical inventory of tape library
Countermeasures
NOTE
continued
Establishing Countermeasures for
NOTE
NOTE
from the candidate’s current employer—Understandably, Other Than IT Employees? Other
employees can directly impact the
this is not always available during the interview process, but it
security of information systems.
should be requested from the former employer before the
Vendor employees, air conditioning,
employee starts work.
maintenance engineers, and building
á Checking public records, including court records, marital personnel all have contact with equip-
record, educational record, military record, law enforce- ment and are provided entry into pro-
ment records, public documents and credit bureaus. tected areas. Good countermeasures
are to require bonding, not to allow
á Requiring drug testing. free access (instead require service
orders), and to require identification
á Considering insurance and bonding—A surety bond reim-
and signing in and out. Observe to
burses a company for loss due to theft of specific assets and
ensure personnel only access required
fraud. equipment and only enter required
á Looking for conflicts of interest—Has the candidate areas of restricted areas. Always
received fees from vendors for obtaining business? escort people into secure areas, and
never leave them unattended.
Investigation of part-time employees might be necessary as well,
depending on the nature of the job and the length of employment.
NOTE
When employees leave the company, whether they resign or are Double Take! Is the IT department
fired, strong countermeasures should be applied. An exit procedure at your company notified of employee
should be defined that includes a checklist of duties. Items of impor- exits? Frankly, this is a huge problem.
IT departments should be notified, but
tance are the collection of keys, ID cards, and other company mate-
frequently they are not. Unless an IT
rials and the changing of locks, passwords, and other access codes.
employee validates user accounts on
a regular basis, an audit might uncov-
er numerous accounts still enabled
Gruntling Program years after employees have left the
company. At one account where I
It’s commonly said that disgruntled employees are responsible for recently assisted in an audit, we
much employee fraud, destruction of data, and other malfeasance. found over 1,000 accounts that had
More than one commentator has said in reply, “You need a not been used in over six months!
gruntling program then.”
Countermeasures include setting expi-
Often, employees who sabotage are quoted as saying that no one ration times for accounts and scan-
cared, that the company treated them like things, not people. It’s ning logon records to find accounts
clear that a policy that promotes employee satisfaction and removes that have not been used in several
the common causes of disgruntlement is long overdue. Consider it a months. Automated utilities exist to
countermeasure to employee-related threats. Here are some ideas assist in finding this information.
that might work:
09 078972801x CH07 10/21/02 3:38 PM Page 416
TABLE 7.5
C E R T I F I C AT I O N S FOR SECURITY MANAGERS
Title Initials Manages Certification
Certified Information System Security CISSP (ISC)2 www.isc2.org
Professional
Certified Information Systems Auditor CISA Information Systems Audit
and Control Association
www.isaca.org
Second, the number of computers, the jobs that they do, and of
course, the infrastructure that supports them have exploded. The
secretive, wizards-of-the-temple-of-IT method of knowledge transfer
just does not scale. With the explosion of computers and their infil-
tration into every function of a modern society has come a prolifera-
tion of knowledge. Information is available from numerous sources
including books, Web sites, colleges, and technical training programs.
Unfortunately, the widespread availability of information means that
even though it’s easy to find someone who knows the how to of sys-
tems administration, it is difficult to find someone who also knows
the when to and the why. We now have many systems administrators
who know little about security or the impact of what they do.
The solution, like the problem has multiple parts. First, we must
ensure that system commands and utilities are reserved for adminis-
trative use. Second, we must provide training and guidance for all
administrators, in the why and wherefore of what they are charged
to do. Finally, we must ensure that job interviews also stress this
aspect and not just rely on technical competency.
IN THE FIELD
call the vendor for assistance, not because they lacked technical
savvy or willingness to solve the issue, but because they began
working with the product and exhausted the possibilities sooner.
The end result was a relaxation in project specification. The VPN, it
seems, could not perform the required authentication protocol and
could only use a much weaker process.
The less experienced team would not accept this solution. Instead,
they investigated the authentication protocols available from the
native operating system and found that one met the project specifi-
cations. They returned to me as the provider of the specification
asking approval to use this solution instead of the other vendor
products.
This difference in approach also was present in another scenario.
Students were asked to appropriately configure the mail server for
administration. Both groups were told they needed to provide
administrative accounts that had authority to manage, trouble-
shoot, and maintain the mail server. Three possible privilege
assignments existed: user, mail admin, and service account admin.
The more experienced group accomplished this with one step; they
gave the local Administrators group service account admin privi-
leges. The other group created a mail server administration group
and in addition to local Administrators group membership only gave
them mail admin privileges. The difference is that although both
groups accomplished the stated goal, the first group gave more
privileges to more people than necessary. The second group
restricted the ability to administer the server to a select group, not
the entire group of operating system admins. They also correctly
assigned only the privileges necessary for administration.
In project review, both teams discussed the issues. The more expe-
rienced group focused on getting the job done. The less experi-
enced group focused on getting the job done right.
NOTE
lists, for example, should be available to company sales people and Removing Data from RAM and ROM?
to those managing accounts payable but should not be published Clearing sensitive data from disks can
be accomplished in several ways such
where competitors could obtain them. Information that might
as deletion and overwriting or
adversely affect the market value of company stock should not gen-
degaussing (de-magnitizing).
erally be available to any employee. On the other hand, the location
Removing data from Random Access
of corporate headquarters or current product descriptions is infor- Memory (RAM) is usually done by
mation that belongs in the public domain. Military information clearing or by removing power. Data in
security standards also have their own system of data classification, Read Only Memory (ROM) is perma-
but the principle is the same. Sensitive data needs to be managed nently stored.
differently.
How should sensitive information be managed? Sensitive informa-
tion and the media it is available on should be more carefully man-
aged. Information, like all things, has a life cycle. It is created
(purchased, discovered, developed), handled, stored, and finally
destroyed. Each phase requires specialized handling. The phases are
á Creation—All data, however it is obtained, should immediate-
ly be classified and labeled. The labeling should indicate when
it was obtained, its source, and an indication of its sensitivity
level. Data that is stored and used electronically should also be
identified electronically.
09 078972801x CH07 10/21/02 3:38 PM Page 426
NOTE
media is subjected to laboratory tests. Methods used include Data Remanance Data remanance
multiple overwrite of data, encryption, media destruction, and is the data that remains after data
degaussing. Degaussing magnetically erases the disk contents. has been erased from physical media.
Common misconceptions about dele-
Destruction is via a metal destruction facility such as a smelter,
tion programs often leave quite a bit
or via pulverization, abrasion, incineration, or acid wash.
of data on the disk. First, PC delete
programs merely remove the directory
pointer to the data. The data actually
remains. A low-level disk editor, a
Change Management Control common utility, can be used to recov-
Change management control is often described as a best practice for er the data. Some disk wiping utilities
management of custom software development and maintenance. do so by overwriting the data. Even
Computer operations should also institute a change management this process might not remove all the
data. Always look for a utility that
control system for IT infrastructure. The first step in the process
overwrites data multiple times, or use
should be to develop detailed documentation on the following:
some other method of removing data
á Network configuration from the disk.
The approval for the application of a particular type of patch can vary.
In some organizations this can mean exhaustive testing; in others a
decision is made after review by a knowledgeable person. This process
and policy involve the systems administrator.
Other types of modification, such as the implementation of new
technology should be beyond the decision of a single systems admin-
istrator. This might require more stringent review that requires
research and testing the impact on systems, network or application
stability, cost, value, and product selection.
Regardless of the approval process, documentation must be changed
to reflect current configuration and product mix. Documentation
for related systems should also be reviewed. What impact does a new
tape management system have on backup, offsite storage, recovery,
collocation, compatibility, and training? Does new equipment bring
new challenges in the availability of technical expertise, in applica-
tion compatibility, or in the need for new auxiliary equipment and
infrastructure? These questions should be answered prior to the
change, but a review of related systems documentation and proce-
dures can only occur once the product is installed.
Change management extends beyond documentation. If a new air
conditioning system is to be installed, can it be scheduled for cooler
months? Will the main power supplies need to be taken offline?
(Should backup power be available and for how long?) If things
don’t work with the new system, can we fall back to the old?
By having a firm change management policy in place, the impact on
the availability and stability of systems can be more reliably assured.
09 078972801x CH07 10/21/02 3:38 PM Page 429
C A S E S T U DY : T H E R U S S I A N H A C K A T TA C K
A N A LY S I S
This case shows how someone can use informa-
tion about company operations to attack a com-
pany’s assets.
This case of theft involved former employees of
Levin’s company, who moved to set up the bank
accounts, which were used as repositories in the
scam. In addition, they may have used the results
of the prior successful attack on Citibank’s com-
puters by the Russian Hacker Megazoid.
Megazoid—a mathematical wizard, according to
some accounts, or a group of hackers, according
to others—may have provided information to
Levin. Megazoid claims he remains anonymous
for fear of criminal gangs anxious to acquire
his skills. He claims he was able to navigate
the Citibank network undetected for months.
continues
09 078972801x CH07 10/21/02 3:38 PM Page 430
C A S E S T U DY : T H E R U S S I A N H A C K A T TA C K
continued
He says he penetrated secret files, using a com- customers to transfer funds from their own
puter and modem he bought for $10 and a bottle accounts to accounts at other financial institu-
of vodka, as noted at http://www.infowar.com/ tions around the world. To enter the system and
hacker/hacko.html-ssi. transfer money customers were required to enter
a user identification code and a password. Unlike
Official reports say that a large internal investiga- similar operations by other banks of the period,
tion cleared CitiBank employees of participation Citibank did not also require a secure card for
in the fraud. Bank security personnel in coopera- these transactions.
tion with the FBI were able to track illicit actions,
arrest the moles, and gain information from them Think this is an isolated case? Think again.
that eventually pointed to Levin and the company Security experts agree that it’s not. They believe
he worked for, AO Saturn. US authorities worked that banks hide information on successful hack
with the Russian Organized Crimes Squad. They attacks. They also believe that common penetra-
then lured Levin to London where he was arrest- tion techniques will work equally as well at banks
ed. All but $400,000 was recovered. as they do in other industries.
Levin was sentenced to three years imprisonment. For a peek into the techniques that might be
used to do so, see the article, “How to Hack a
The service that Levin compromised was called Bank,” at http://www.infowar.com/hacker/00/
the Financial Institutions Citibank Case Manager, hack_052200a_j.shtml.
which Citibank created in 1994 to allow
CHAPTER SUMMARY
Operations security involves figuring out what to protect, who to
KEY TERMS
protect it from, who needs to have access, and what controls are
• Administration or management available to help you protect it. Threats and countermeasures, audit-
controls ing and intrusion detection, and OPSEC were discussed.
• Administrative management
• Annual Loss Expectancy (ALE)
• Application software maintenance
controls
• Audit
• Audit and variance detection controls
09 078972801x CH07 10/21/02 3:38 PM Page 431
CHAPTER SUMMARY
A P P LY Y O U R K N O W L E D G E
Exercises TABLE 7.6
FA X C O N T R O L W O R K S H E E T
7.1 Best Practices for Fax Services Reasons for
Choosing or
Facsimile transmission at your company consists of sev-
Not Choosing
eral fax machines around the company. To send a fax Select Control Control
someone must take a paper hard copy to the machine,
Require electronic receipt, no
load the document and punch in the recipients fax printout to uncontrolled fax
machine phone number. To receive a fax you must machine.
direct companies to use the fax number of the machine
Require monitors for fax
nearest you and retrieve the fax yourself. Fax machines machines.
are unmonitored and in public rooms.
Disable the print feature.
1. Explain why the proposed controls listed in the Direct printing of received
worksheet outlined in Table 7.6 should be added faxes to network printers.
to improve the security posture of your compa- Install a fax server.
ny’s facsimile management.
Require login to receive/
2. Use your knowledge of operations security to send fax.
mark your choices by placing an X in the Select Require encryption of sensitive fax.
column. Then describe why you made this choice
Require fax server to encrypt
in the third column.
all sensitive documents. A
separate fax server is supplied
for sensitive transmittals.
NOTE
A P P LY Y O U R K N O W L E D G E
Answer to Exercise
Table 7.7 provides the solution to Exercise 7.1.
TABLE 7.7
FA X C O N T R O L W O R K S H E E T A N S W E R S
Select Control Reasons for Choosing or Not Choosing Control
X Require electronic receipt, no printout to Allowing faxes to print to unattended machines means that
uncontrolled fax machine. sensitive documents are available for theft or reading by anyone
who happens to walk by. In addition, documents can be inadver-
tently picked up by someone honestly picking up his fax.
Require people stationed at fax locations to monitor This would assure some confidentiality but is not the best
receipts. solution.
X Disable the print feature. Users may choose to print faxes (which may be sensitive docu-
ments) to network printers. Sensitive documents can still be left
lying in unattended areas.
Direct printing of received faxes to network printers. This is not valid for the same reason that it isn’t ideal to disable
the print feature. Users might choose to print the faxes, which
could then be left in unattended areas. This isn’t a good situation
when dealing with sensitive issues.
X Install a fax server. This can solve many problems but needs additional controls.
X Require login to receive/send fax. Excellent! Only authorized personnel can send and receive. Also
ensures that the fax gets to the right person, and only that person.
Require encryption of sensitive fax. What, by policy? Who will remember?
X Require fax server to encrypt all sensitive documents. Yes. A technical solution exists that can ensure that sensitive
A separate fax server is supplied for sensitive transmittals. documents are encrypted (presuming correct configuration is
made and maintained).
09 078972801x CH07 10/21/02 3:38 PM Page 434
A P P LY Y O U R K N O W L E D G E
Review Questions 2. Which two methods can be used to purge RAM?
A P P LY Y O U R K N O W L E D G E
6. Countermeasures to employee-related threats are available. See the section “Describe the OPSEC
which of the following? Process” for more information.
A. Block all unnecessary inbound and outbound 2. Controls are necessary for computer operations to
ports. ensure that security is not compromised. A good
control is separation of duties. Separation of
B. Eliminate banners.
duties prevents one person from being able to
C. Apply patches. subvert or defraud or compromise the system.
D. Bonding. For example, an applications programmer should
not also be a software tester. He might add back-
7. A risk associated with administrative manage- doors to programs that would allow an attacker
ment is which of the following? to compromise the system. As tester he could
A. Ignoring controls overlook this problem. Another control is setting
permission on files. This technical control keeps
B. Building near explosion hazards data available for only those who should have the
C. Championing professional development ability to access it. See the section “Identifying
Available Controls and Their Types” for more
D. Providing security training information.
8. Antiviral products have been around for many 3. An IDS system is an example of an audit and
years, yet we still have outbreaks of viruses and variance detection control because it looks for
worms. The two most probable reasons for this things which do not match the norm, and things
are which of the following? which go against what is allowed. It also alerts an
A. Gullibility of users. administrator about unusual circumstances. See
the section “Identifying Available Controls and
B. Antiviral programs are not kept updated. Their Types” for more information.
C. Antiviral programs cannot cope with the 4. Two security principles are separation of duties
sophisticated virus programs written today. and least privileges. Separation of duties means to
D. Today’s operating systems are more vulnerable keep one person from entirely controlling a
to virus attacks. process that might allow them to defraud the sys-
tem. Least privilege means to only give people
the privileges that they need. See the section
“Identifying Available Controls and Their Types”
Answers to Review Questions for more information.
1. The OPSEC process is the process of looking at 5. The role of auditing in operations security is to
your company as the attacker would, discovering provide an audit trail or a list of what has hap-
the information that he is seeing that might allow pened to enable administrators to detect possible
him avenues for attack, and then developing attacks and to determine if security policies are
countermeasures so that this information is not being fulfilled. See the section “The Roles of
Auditing and Monitoring” for more information.
09 078972801x CH07 10/21/02 3:38 PM Page 436
A P P LY Y O U R K N O W L E D G E
6. The analysis of a capture can provide information them to acclimate before using them when they
that allows detection of an attack, identifies the are brought from outside to inside the building.
intruder, and provides forensic information for See the section “Protecting Sensitive Information
later analysis and possible prosecution. See the and Media” for more information.
section “Detecting Intrusions” for more informa-
tion.
7. Penetration testing techniques can discover vul- Answers to Exam Questions
nerabilities in your network and in your systems.
A company should use these techniques after they 1. B. Contingency planning is an operational con-
have applied security hardening to their systems. trol. See the section “Identifying Available
The goal of pen testing is to find things that have Controls and Their Types” for more information.
not been discovered before, to catch configura- 2. B, D. Random access memory can be cleared and
tion mistakes, and to have early warning of will be cleared when power is removed. See the
potential vulnerabilities. See the section section “Protecting Sensitive Information and
“Penetration Testing Techniques” for more infor- Media” for more information.
mation.
3. A. Configuring security is an administrative task.
8. Quantitative risk analysis uses statistical data to If a programmer configures security he might set
support its recommendation for countermeasures. it to be lax and then write programs that will
An example is the Annual Loss Expectancy more easily compromise the system. See the sec-
(ALE), which multiplies the loss potential times tion “Identifying Available Controls and Their
the probability of the threat occurring. See the Types” for more information.
section “Risk Analysis” for more information.
4. B. Clearing and degaussing are techniques to
9. Countermeasures to fraud include separation of remove or destroy data on media. Data rem-
duties (ensuring no one person can do all of a anance is the data that remains after erasure of
process that would allow them to steal from or data from the system. See the section “Protecting
defraud the company), rotations of duties (ensur- Sensitive Information and Media” for more infor-
ing no one is always doing the same thing), and mation.
mandatory vacations (fraud is often discovered
when an individual is away). See the section 5. C. Annual Loss Expectancy. See the section “Risk
“Establishing Countermeasures for Employee- Analysis” for more information.
Related Risk Analysis” for more information. 6. D. Bonding is the practice of paying a third party
10. Media, tapes, and disks should be protected by to insure the actions of an employee. It often
labeling them, controlling access, keeping storage includes some sort of a background check by the
and usage area temperature controlled and clean, bonding agency and insures the company against
controlling and recording their movement, keep- fraud committed by the employee. See the sec-
ing them out of direct sunlight, and allowing tion “Establishing Countermeasures to
Employee-Related Threats” for more information.
09 078972801x CH07 10/21/02 3:38 PM Page 437
A P P LY Y O U R K N O W L E D G E
7. A. If administrators flaunt controls, they set 8. A, B. Many viral and worm attacks would not
examples for their staff. They also are a greater succeed if not for users who open attachments,
risk, because they might have elevated privileges respond to requests, download games, and so
or access to confidential data. See the section forth. See the section “Understanding Antiviral
“The Role of Administrative Management” for Controls” for more information.
more information.
09 078972801x CH07 10/21/02 3:38 PM Page 438
A P P LY Y O U R K N O W L E D G E
Suggested Readings and Resources
OBJECTIVES
C H A P T E R 8
Business Continuity
Planning and Disaster
Recovery Planning
10 078972801x CH08 10/21/02 3:40 PM Page 440
OBJECTIVES
Detail the business continuity planning • Describe emergency response, including the
process. development of emergency response teams
and procedures. Include disaster recovery
• Explain the process of business impact
crisis management and communication
assessment.
plans.
• Define the process of developing the scope
• Explain the necessary components of recon-
of a business continuity plan, including
struction procedures, including reconstruc-
organization analysis, resources, and legal
tion from backup, movement of files from
and regulatory requirements.
offsite storage, and loading of software,
• Develop business recovery strategies, software updates, and data.
including planning for crisis management;
. Disaster is the name we give to an event that so
arranging for cold, hot, warm, and mobile
cripples a business that operations can’t resume for
recovery sites; communicating with person-
some lengthy period. When the event occurs, its
nel and management; and developing emer-
first stage is often one of emergency. Every disaster
gency response and implementation plans.
recovery plan should encompass plans for action at
. The first step in planning business continuity is to the time of the emergency. A crisis can’t be man-
understand the scope of the problem. A sound aged, but the response to one can be managed.
business impact assessment details the possible Appropriate procedures, communication plans, and
effect of every potential disaster. Every event can be training provide the means to do so.
analyzed as to its probability and how current busi-
ness operation strengths and weaknesses impact the
After the crisis is contained, an organization’s per-
result. The planning effort asks the questions: Will
sonnel might be stunned into inactivity or busied
operations be affected? Which operations are affect-
with reconstruction. Proper planning provides the
ed? Where will problems occur? For how long?
facilities, offsite storage of backups, tested proce-
How much will it cost? Does the organization have
dures, alternative resources, and trained personnel
legal or regulatory requirements to fulfill? What
necessary for the effort.
about obligations to its employees and customers?
OUTLINE
S T U DY S T R AT E G I E S
. BCP and DRP are, simply put, just a way of . Another strategy is to develop a plan based on
ensuring that some man-made or natural disas- what you know about a recent crisis. Would
ter does not eliminate the organization. An your organization have survived if your offices
excellent way to study this topic is to use the were in the World Trade Center on 9/11? What
methodologies explained here to develop plans if they had been located in Southern California
for an organization with which you are familiar. during the Northridge earthquakes of 1994, or
Even if your job does not demand this knowl- on the coast of Florida during hurricane Andrew
edge or ability, you will gain a greater apprecia- in 1992 or hurricane George in 1998?
tion of the process and a better understanding Whatever your choice for the exercise, involve
of this domain by putting your quest for knowl- yourself in writing a plan; don’t just memorize
edge into a practical objective. terminology or attempt to learn this topic via
. If you do not feel you have the information avail- osmosis.
able, or you feel the scope is too broad, select
a department within the organization, or start
your efforts by developing such plans for your
family.
10 078972801x CH08 10/21/02 3:40 PM Page 443
INTRODUCTION
In the aftermath of the 9/11 attacks on the World Trade Center in
New York City, many companies rushed to update business continu-
NOTE
Interagency Contingency Planning tained? Is disaster recovery planning the same thing as business conti-
Regulation This regulation mandates nuity planning? In today’s at-the-speed-of-the-Internet world, where
that financial institutions in the U.S. data is mirrored and co-located and stand-by systems and fail-over
will have a disaster recovery plan. It
clusters are the rule, is backing up or a recovery plan even necessary?
was developed by the Financial
Where do all the parts fit in, and who is responsible for them?
Institutions Examination Council, a
“…formal interagency body empow- These are the questions you should be able to answer about this
ered to prescribe uniform principles, domain, and these are the topics covered in this chapter. By way of
standards, and report forms for the introduction, let’s review the reasons for having a plan:
federal examination of financial institu-
tions by the Board of Governors of the á Studies indicate that nearly half of the companies that lose
Federal Reserve System (FRB), the data in a disaster never reopen, and 90% of them are out of
Federal Deposit Insurance Corporation business within two years.
(FDIC), the National Credit Union
Administration (NCUA), the Office of
á Although countries might differ, in the U.S., the law does not
the Comptroller of the Currency (OCC), explicitly mandate such plans, but it does mandate protection
and the Office of Thrift Supervision of business records. The Foreign Corrupt Practices Act of 1977
(OTS).” For more information, visit includes a requirement that compels corporations to keep
http://www.ffiec.gov/. accurate records and to safeguard company assets, and IRS
91-59 makes management responsible for record retention.
á Some types of businesses might be required to have a plan.
The U.S. Federal Financial Examination Council, which regu-
lates U.S. financial institutions, mandates a working disaster
recovery plan for all U.S. financial institutions.
á Those companies that violate the law are subject to civil and
criminal prosecution.
10 078972801x CH08 10/21/02 3:40 PM Page 445
More lives can be saved if a plan has been developed to meet any
NOTE
When Is an Event a Business emergency. With a plan, calm preparedness can reign, and where
Interruption? Although everyone there is calmness, more lives can be saved.
would consider a fire to be a business
interruption event, few would see a What about the peripheral and inanimate objects the fleeing masses
small, quickly extinguished paper fire leave behind? What if the calamitous event is not a life-threatening
in a wastebasket as an event worthy disaster but nevertheless threatens the normal operations of whatever
of including in your plan, or as one businesses are involved? What events should be considered in a plan?
that would trigger its operation.
Granted, the little wastebasket fire In a business, any event that can interrupt its normal operation,
needs attention, but the interruption which can negatively impact its people or its facilities, requires the
is minor and the cost miniscule. Fire creation of plan of action to deal with it. To create such a plan, you
is an event to develop plans for. In must first determine which events can threaten a business’s ability to
that plan, perhaps, will be information continue, and then, at what level those events trigger the operation
that will qualify at what point the plan of the plan.
comes into being and perhaps referral
to other policies and procedures that The first step, however, is to list the events. Instead of merely adopt-
dictate activity for minor events of this ing a prepared list, each business should create its own list, and the
type. list should be reinspected at least annually to keep it up-to-date. The
following list is the result of one business’s recent discussion at the
beginning of its business continuity planning session.
á Natural Events Including Weather
• Earthquake
• Hurricane or Heavy Rain/Wind
• Blizzard or Heavy Snow/Hail
• Tornado
• Volcanic Eruption
• Draught
• Flood
• Mudslide
á Miscellaneous Events
• Explosion
• Hardware, Software Failure
• Strike and Picket Line
• Employee Evacuation, Absence
• Testing Outage
• Human Error and Omission
• Disgruntled Employee
• Malicious Mischief
• Vandalism
• Riot
occurrence. These steps must be taken and should be specific for So, Which Disasters Pose a Risk for
each business location, but they should not be a part of the initial You? Determine these by reading
“Understanding Your Risks, Identifying
listing of events. In the beginning, every potential chance event—no
Hazards and Identifying Costs,” a doc-
matter how seemingly impossible—should be listed and not filtered.
ument available from the Federal
Although it is important to make the list without speculation over Emergency Management Agency
which events actually represent a risk to this business, a risk analysis (FEMA), which you can read more
should be completed. To do so, review data on the FEMA site, com- about at http://www.fema.gov/mit/
munity records of natural disasters and crime rates, as well as com- planning_toc3.htm.
pany history.
10 078972801x CH08 10/21/02 3:40 PM Page 448
How can a business continue if flood, fire, or some other event has
knocked out network services, destroyed the data center, or injured
or killed a large part of the workforce? If a company has a disaster
recovery plan but does no business continuity planning, it might
recover the data, data center operations, people, and facilities and
yet the business might cease to operate.
Still, though, many companies don’t seem to realize this. Perhaps
it’s the historical development of the process. It’s not a bad idea to
note the history behind the concept of planning for disaster.
Understanding the rationale behind the various planning efforts as
well as the differences between the two can help you avoid reliance
on one or another of the planning processes.
Modern business continuity planning grew out of a need to develop
plans to deal with the potential disaster of malfunctioning, dam-
aged, or destroyed mainframe systems. These original efforts, called
disaster recovery planning, focused on the capability of computer
operations to deal with and recover from some disasters. Businesses
recognized their growing reliance on their data systems and became
afraid of the results should these systems be damaged or destroyed.
Perhaps employees could return and ordinary facilities could be
restored, but expensive computer systems and the data they held
could not be so easily replaced. Elaborate plans to resume operations
at remote sites, including standby equipment and data backup oper-
ations, became a necessary requirement for every data center.
Amazingly, at first, no one considered other aspects of business oper-
ation, nor what would happen if data systems survived and were
again operational but the business could not function due to damage
to other areas of the facilities, loss of critical employees, or loss of
the ability to perform manual processing. No one paid much atten-
tion to the impact of monies lost due to lost business during the
recovery operation or reserving emergency locations for people
to work in, or what the impact of losing key employees in the
disaster might be. Although the original emphasis on data system
recovery was due to the business loss their demise meant, this
reason behind the function was lost and the focus became simply
keeping the systems running. I suppose businesses reasoned that
disasters had happened in the past and businesses dealt with them.
10 078972801x CH08 10/21/02 3:40 PM Page 450
NOTE
nuity plan must be developed. Although many steps must be taken in Audit Your BRP FEMA provides a
its development, many sources agree that the two most important complete series of checklists that
items necessary for its success are backup and management support. cover the development of business
recovery plans. The checklists cover
Without backup, of course, there is nothing to recover, and without
four broad areas: executive aware-
management support and guidance, no plan can succeed. Management
ness and authority, plan development
support aides in obtaining money for mitigation processes (contracts and documentation, management and
for hot sites, duplicated systems, insurance reviews, and so on); time recovery team assessment and evalu-
for planning, testing, and training efforts; and the support of the plan- ation for effectiveness, and manage-
ning effort across boundaries of department, division, and role. It is ment and recovery team assessment
management that eventually must decide how much money can be of readiness and plan management.
spent, and it is management support that ensures participation in the Although the checklists are directed
process. Fortunately, part of the planning process documents the finan- at those developing a plan, in my
cial impact of business interruption, and this information can ensure opinion, they are far better used as an
management’s commitment to the planning process as well as plan audit review of a functioning plan.
implementation. They are available at http://
www.fema.gov/ofm/brecov.htm.
The business continuity planning phases are
á Determine the scope of the plan
á Perform business impact analysis
á Develop operational plans for each business process
á Test plans
á Implement plans
á Maintain plans
Is this plan required for some new adjunct to the business: a new
department, operation, or division? Should the plan address only a
particular business process? Is it concerned with facilities, computers,
and people or just one of these? Should the plan address all potential
disasters or limit its efforts to a particular type?
Although every organization needs a plan that encompasses its entire
operations and considers all possible business interruption events, if
the organization has never had a BCP, it probably should focus first
on only some part of the organization or recovery from a particular
type of event. Another approach is to divide organization-wide plan-
ning efforts into localized or departmentalized planning efforts.
These plans, when complete, can then be combined into a master
plan for the entire organization. The master plan can address infra-
structure, support services, and other areas that can impact multiple
business processes and cross traditional business boundaries.
Regardless, the plan should not just address issues of putting critical
components of the business back into operation; the scope of the
plan should also address the legal and statutory elements that are a
result of the business interruption. Legal and statutory elements can
be fines that will be imposed due to late filing or completion of pro-
jects, penalties for not implementing mandated services and func-
tionality, or the like. An example might be the fulfillment of new
patient information privacy regulations as defined by the Health
Insurance Portability and Accountability Act of 1996 (HIPAA),
which can result in heavy fines and jail time. HIPAA outlines strict
new guidelines on how every organization that deals with patient
data must protect the privacy of the individual.
NOTE
not only understanding the emergencies you might be faced with or Life—the Most Critical Business
which business operations they can affect, but in understanding what Process Planners should make no
level of operations is necessary to fulfill the goal of keeping the busi- mistake: The business impact analy-
ness going. Unlimited resources for recovery will never be available, sis should rank processes that con-
cern the lives of people as the most
nor should that be your goal. The goal of recovery is to get critical ser-
critical operations of all. Consider, for
vices up and running to ensure the continuation of the business.
example, those operations that keep
Doing that requires a deep understanding of what these critical ser- life support functioning first.
vices are and the financial impact of their interruption.
A business impact assessment (BIA) is the process by which a busi-
ness’s critical services are identified and a maximum tolerable down-
time (MTD) for each is determined. The MTD, sometimes also
known as the recovery time objective (RTO), is the timeframe with-
in which the critical service must become operational to ensure the
business will survive.
A useful approach is to attempt to determine what will happen if each
process can’t function for several time periods. What will happen after
one day of loss, after two, after a week? It is useful to attach
dollar amounts in revenue loss, interest expense, discounts, fines,
and so on—in other words, the total dollars over time that business
interruption exacts. For each possible event, the operations that might
be affected can be listed and a total financial picture determined.
These totals are useful in creating an awareness of the need for busi-
ness continuity planning, and the impact of the loss of a single
process helps to support funding for both pre- and post-event miti-
gation and recovery activities. Dollar figures also help separate
processes into critical and noncritical operations and rank them in
order of importance. However, two more factors should be studied.
First, the interrelatedness of processes should be evaluated. Interviews
with operations personnel might not reveal the true importance of a
process. Understanding that some critical operation relies on this
minor one might move the low-importance process to critical
operation status. Secondly, some processes can survive moderate
time periods of no function at all, whereas there may be a time at
which critical operations must be resumed or no amount of money
invested in the recovery process will be sufficient. Time-sensitivity
is therefore a consideration. Hours of downtime for a Web site
might be more devastating than days in a more traditional business.
10 078972801x CH08 10/21/02 3:40 PM Page 454
NOTE
Is a BIA Necessary for e-Commerce?
á Contractual fines or penalties Because e-commerce site require-
ments are 100% uptime, the MTD for
á Unavailability of funds
e-commerce can be represented as 0.
á Cancelled orders due to late delivery After all, high-volume sites might find
that even tiny amounts of time offline
Not all loss can be easily calculated in monetary value, but it should result in staggering losses.
also be considered. Lists of other ways operations would be affected Recognition of these factors ensures
should also be made. These might include items such as loss of management support, and initial fund-
customer service capability; loss of the ability to help internal ing plans often include complete
redundancy for these operations.
customers; and loss of confidence by customers, shareholders,
Many sites are co-located (complete
employees, and regulatory agencies.
up-to-date copies of the site exist at
No matter how you conduct your research, sample questions can be other locations and can be almost
found by examining published surveys. Arthur Hutt, in the transparently switched to if the site
Computer Security Handbook, is one such resource. Although it is a goes down). In the face of such oper-
disaster recovery questionnaire and asks questions about computer ations, is there a need to perform a
business impact analysis? Yes. The
applications, you could extend it to cover any business process or
BIA can identify business processes
simply begin by abstracting questions for use in beginning your inter-
that rely on the e-commerce activities,
views. Hutt’s questionnaire inspired Table 8.1, which could be used
or which provide support for it so that
to combine the results of your surveys. Operations are listed down appropriate plans can be made for
the side of the table; the impact, including loss in dollars, ranges them. Without a BIA, other activities—
across the top. It is meant as a start, to which you might add your perhaps less obvious than being able
own questions or adjust the timeframes. An e-commerce version of to connect to the site but equally as
this business impact analysis table, for example, might substitute important to business survival—might
hours or minutes of operation in place of days. After the initial data be overlooked. Can you imagine, for
is gathered, you can determine the operations most critical for busi- example, the impact if the catalog-
ness survival (those which would mean the most monetary loss if not ordering site was co-located but the
quickly resumed). Next, calculate the Maximum Total Downtime warehouse was not? If a hurricane
flattens the main site and the ware-
(MTD), the time for which a critical operation can be down before
house, the Web site might be opera-
the business loses its capability to survive. To do so, total the mone-
tional elsewhere, but product still
tary losses over time and compare them to the loss that would be too
wouldn’t ship.
much for the business to bear.
10 078972801x CH08 10/21/02 3:40 PM Page 456
TABLE 8.1
B U S I N E S S I M PA C T A N A LY S I S S U R V E Y R E S U LT S
Days from Event/Business
Operation-Related Computer Applications If Lost: Impact on Business $ Loss in Sales and Revenues $ Cost in Lost Clients
Day One
Operation 1
Operation 2
Operation 3
Day Three
Operation 1
Operation 2
Operation 3
Day Ten
Operation 1
Operation 2
Operation 3
One Month
Operation 1
Operation 2
Operation 3
A 100% uptime (an MTD of 0), for example, can be met with alter-
native processing plans—for instance, hot sites, which have standby
servers that can immediately take over operations, duplication of ser-
vices at alternative places, and so forth. A plan to support processes
with MTDs of several hours or days might include cold sites (sites
with power and other facilities but no computers or software),
restoration from backup, or even temporary alternative processing.
Senior management will be asked to support the proposed effort to
meet the recovery timeframe.
The correctness of the MTD should be evaluated prior to plan
development. It will be much harder to revise or obtain approval for
recovery plans at a later time in the planning process.
10 078972801x CH08 10/21/02 3:40 PM Page 458
Reporting
A final report, called “BIA Findings and Recommendations,” is pre-
pared. It should include an assessment of threats and vulnerabilities
to time-critical business functions, document the impact (both oper-
ational and financial) on the business, and suggest a recovery
approach that includes next-step recommendations.
This report should be circulated for final validation prior to publica-
tion. The results are often communicated to service organizations
such as IT, network management, telecommunications, human
resources, and the facility that supports each business unit. MTDs
are often used during the rest of the planning process to determine
measure, test, and deploy recovery processes.
R E V I E W B R E A K
The BIA Process
To summarize: The BIA process is a series of steps:
á Identify time-critical business processes.
á Identify supporting resources (personnel, facilities, technology,
computers, software, networks, equipment, vital records, data,
and so on) for the critical processes.
á Determine MTDs.
á Return to business units for validation.
á Provide the final report, including MTDs and recommenda-
tions for next steps, to senior management.
NOTE
Learning from the Past Examining
á Preventative measures—Those operations that might prevent the impact of disasters on business
events, such as fire, or mitigate the effect of an event should it often suggests activities or approach-
occur. Typical items in this part of the plan include fire and es that can help mitigate the impact
safety inspections, installation of fire detection and suppressant of future events. In the Chicago floods
equipment, insurance review, attention to normal maintenance of 1992, many basement-level data
of equipment, data backups (including duplication of docu- centers experienced water damage,
mentation, maintenance of backups, and storage of software prompting many companies to
offsite), training for employees, blast walls, and evacuation redesign facilities to locate data
drills. They can also encompass a review of insurance for ade- centers above basement level.
quacy as well as training in the steps to be taken to ensure Hurricanes and other damage to data
centers located on exterior windows
compliance with insurance policy requirements.
walls have also resulted in the move-
á Emergency response—Includes the actions taken immediately ment of data centers to interior areas
to avoid injury and loss of life, alert authorities, notify man- of the building.
agement, prevent additional damage, and (where possible) res-
cue critical data and equipment.
á Recovery—The process of putting critical operations back
NOTE
Emergency Control Centers For
into operation. More information is available in the “Defining
some recovery operations, it might be
Disaster Recovery Planning” section later in this chapter.
helpful to plan emergency control cen-
á Return to normal operations—Transitional activity that ter locations. These centers, located
returns the business to normal operations. This can include both within and outside the facilities,
facility repair or replacement, establishment of new data and should include plan information such
voice connections to support the entire operation, recall of as an inventory of people, equipment,
documentation, supplies, hardware/
employees, and the return of all operations to normal levels.
software, vendors, critical applica-
tions, data processing reports, com-
Plans must be made for each phase and include the activities that
munications capabilities, and vital
must occur, who is responsible for them, and what resources are records. During a crisis they can serve
needed. Once again, the business process owners are key players in as communication centers and
the development of the plans. Because the BIA plan has identified regrouping and recovery staging
the critical operations and the timeframes for their recovery, the areas.
business process owners can best define what is necessary to meet
those timeframes. They should be trained in the process of evaluat-
ing alternatives for recovery, documentation of the strategies, and
selection of key personnel to carry out the plans.
Some specific details that address these areas of the plan are
á Getting help
á Reviewing insurance
10 078972801x CH08 10/21/02 3:40 PM Page 460
Getting Help
Plans for getting help should include specific steps to be taken dur-
ing each phase. Contact information and notification steps should
NOTE
Reviewing Insurance
The planning process should include a review of insurance coverage.
The goal is to determine whether current insurance is adequate and
ensure that the recovery plan includes information that will allow
those engaged in the recovery effort to best interface with insurance
representatives for the best possible outcome. The time to learn
about insurance is not when it is necessary. Insurance can provide
funds to assist during recovery and restoration. Without insurance
coverage, the business might be doomed.
Some items that should be questioned when assessing insurance
policies are as follows:
á The type of risk covered
á The type of property policy valuation
á The need for specific additional insurance
10 078972801x CH08 10/21/02 3:40 PM Page 461
Two types of risk can be quantified in the policy. Named perils speci-
fies that the cause of the loss must be enumerated. If the cause is not
listed in the policy, no coverage exists. Alternatively, all risks specifies
that all causes of loss that are not explicitly excluded in the policy
are covered.
Property policy valuation concerns the basis of compensation for
loss. The two types—actual cash value (ACV) and replacement cost—
both attempt to determine the cost to repair or replace lost or dam-
aged items with those of similar quality and type. Actual cash value,
however, deducts the value of physical depreciation, whereas replace-
ment cost does not.
Many policies do not include coverage for the types of losses some
business can incur. These might include the cause of the loss or sim-
ply might not cover the additional costs a business interruption
event can generate. Coverage might be available but have to be pur-
chased at additional cost. Each business will have to determine
whether the special coverage is appropriate. Some of these items are
á Business interruption insurance—Covers lost earning and
continuing expenses during business shutdown time.
á Boiler and machinery—Covers damage, replacement, and
repairs necessary due to explosion of a steam boiler, pipes,
engines, or turbines and mechanical breakdown.
á Valuable papers—Covers loss due to their loss or damage.
á Accounts receivable—Covers loss due to inability to collect.
Each business should review its insurance plans with the insurance
company representatives to ensure business recovery plans include the
appropriate steps. Generic steps, and those typically useful in obtaining
insurance claims, are detailed here:
á Notify insurance company of claim immediately—Give any
details that are known and ask for assistance.
á Secure the area—Is it safe to enter? What needs to be done to
ensure continued safety?
á Restore fire protection—Automatic or specific action might
have removed power to sprinklers and other fire protection
devices or otherwise removed any fire protection in place. If it
is safe to do so, return operation of these devices, plans, and so
on to protective status.
á Prevent further damage/take action to minimize loss—
Perhaps water can be pumped out. Remove nondamaged
goods to a place of safety and protection. If this is not possi-
ble, at least separate damaged materials, but do not destroy or
trash them. Cover broken windows and holes in roofing as
soon as possible. If possible, obtain emergency heat and dehu-
midification.
á Provide security—Guards might need to be posted or locks
applied and barriers raised to keep out the press, the public,
and employees not involved in damage assessment.
á Take pictures and video of the site and damaged and
undamaged property—Documentation not only serves as a
record for insurance claim purposes, but also can serve as a
deterrent to theft.
á Determine the cost of these and other temporary measures
deemed necessary to resume operations and maintain
security—Often insurance can cover these costs and even pro-
vide emergency funding for these efforts. (You should, of
course, be aware of these possibilities before an emergency.)
á Obtain property replacement and repair costs from several
sources—Use internal engineering, operations, and mainte-
nance personnel as well as outside contractors. Be sure to doc-
ument the scope of activity this requires. Part of this process is
determining what can be salvaged and repaired and what must
be replaced.
10 078972801x CH08 10/21/02 3:40 PM Page 463
Don’t Be a Statistic A 1998 Ernst acquisition of alternative equipment and locations, the acquisition of
and Young study found that only 27% contractual arrangement with restoration specialists, and training of
of businesses with business continu- employees in their responsibilities and action during and shortly
ity plans in place bother training staff
after each type of business interruption event. The second is the
in their operations.
actual operation of the plan when an event occurs.
A full review of the plan requires that each business process be exam-
NOTE
Testing Insurance Any test of BCP ined to see whether the plan adequately addresses the needs of the
should include a review of insurance. current systems, equipment, facilities, and people. Among the items
An examination of the policy should to review include
include a review of the adequacy of
insurance coverage for recovery and á Is the insurance plan up-to-date?
restoration. Is there a need for, or is
á Have new processes and equipment been added, and are they
there adequate coverage for, vital
records, equipment, restoration of
covered in the plan?
data, and facilities? Are new coverage á Has team membership been adjusted to include or exclude
options available? Are some options changes in personnel?
no longer available?
á Is testing being done?
á Are there new types of events or changes in the likelihood of
them occurring?
á Have mergers, acquisitions, or divestitures occurred, and has
the plan been adjusted?
A good example—the one that, for many years, was the only
planned recovery operation—is the recovery of data processing oper-
ations. Understanding and reviewing such plans allows you to adopt
the planning process for the recovery of other technologies.
For the purposes of reducing redundancy, I will presume that the
scope of your business continuity planning process encompasses dis-
aster recovery planning and that a business impact analysis has been
completed as part of that process, thus identifying the more critical
applications and processes that are part of data processing. I will also
assume that testing and maintenance portions of the disaster recov-
ery plans can use the same instructions. Therefore, this section con-
centrates on the actual plan for post-interruption event recovery and
the restoration of normal processing. Developing a backup strategy,
a precursor to recovery, is detailed in a separate section.
NOTE
agers judge when a specific response is required. Typically, separate Flip Switch in Emergency A shunt
procedures are warranted when lives are endangered. Clear instruc- trip, or emergency power shut-off
tions should indicate that when life is endangered authorities should switch, is often installed in a data
center near an exit door. In case of
be notified and an accounting of all people known to be in the
fire, flipping the switch shuts off
building (employees, vendors, and guests) should follow evacuation.
power, perhaps reducing the spread of
A procedure is also needed for situations that are not life threaten- fire and making the building safer for
ing. This list needs to be tested, and it should be updated periodical- those fighting the fire. Please don’t
ly. Items on this list might include label the switch “Flip switch in emer-
gency” with no additional information.
á If programs are processing, shut down appropriately. An American company found out why
the hard way: An employee became
á Remove critical data files.
locked in the data center at off hours
á Shut down equipment in proper sequence and shut off power. and pulled the switch, thinking it
might provide means of escape. Well,
á Establish damage control, such as covering equipment that can he was rescued, but you can imagine
be exposed to water from sprinklers. the company’s surprise when 150
á If additional emergency control procedures exist, activate them Web servers suddenly shut down,
if warranted. removing the company’s presence on
the Internet.
á If appropriate, evacuate buildings.
á Reconvene at alternative sites.
á When appropriate, recall personnel for special assignments.
Every data center does a backup, don’t they? IT audits still find sites
NOTE
for which backups are not done or for which they are not validated, Is Backup Always Necessary?
carefully monitored and controlled, or tested. A data backup is Once, when I was teaching a class
insurance against the probability that something will damage data. and we were discussing backup poli-
cies and procedures, I noticed that
Data, of course, can be damaged due to drive crashes or other media
two ladies at the back of the room
failure, accidental or malicious deletions, the introduction of bad
kept exchanging curious glances. I
data, or a virus or other attack. asked the class to explain their back-
There are many horror stories that recount failed data recovery up policies and procedures. After
because no backup existed or because the backup was not usable. some discussion, I asked the ladies
Once again, the wise planner will assume the worst—all surprises about their backup policies. “We don’t
back up,” they said. The room sat in
will then be pleasant.
stunned silence. Astounded, I asked
A comprehensive backup plan, including provisions for periodic them who they worked for. “The U.S.
testing, should be included in the disaster recovery plan. Backup government,” they said. The room
plans include information on what should be backed up and when it shook with laughter. It turned out,
should occur. Backup plans should exist as part of normal IT opera- however, that the ladies had the
tion. Sometimes, however, a backup plan exists but is never imple- correct backup policy for their environ-
ment. They managed a large data-
mented. There is no point in having a backup plan if you don’t
base, and fresh data was downloaded
implement it. The plan should also include instructions on backing
every morning. No updating of the
up data that does not electronically exist. data was done at their site, and being
Many new technologies, such as mirrored systems, fail-over clusters, without the data for the time it might
and data vaulting, provide alternatives to the simple restore and take to download a new copy was an
might cause some to question the necessity for backup. However, acceptable situation. In their case, it
made sense not to back up.
any system can fail, and a backup is always a cheap alternative to
having no data at all.
The questions remain, “Is a sound backup policy in place? What is
it? Is it used? Is it adequate? Is it tested? What are some generally
agreed upon best practices? Is replacement, duplicate, or temporary
use of hardware considered as part of the plan? Is movement to
alternative sites arranged for?”
The planner should create plans based on current identification of
critical systems, technology available, and recovery timeframe
requirements. The wise plan includes the direct assistance of the
technical individuals responsible for the systems in question. Items
to consider are
á Data backup—Traditional copy to tape or other media.
á Alternative sites—Moving operations to other locations.
10 078972801x CH08 10/21/02 3:40 PM Page 474
Partial backups can be made of data that has changed since the last
backup.
Many companies adopt a strategy of making complete backups
weekly, with partial backups made on the other days. In this sce-
nario, a new, complete backup is made each week on a separate tape.
Weekly tapes are kept for a month before being recycled, whereas
daily partial backups must be kept for at least a week, depending on
the type of partial backup made.
When a complete backup is made, each file backed up is marked as
backed up. When a partial backup is made, however, only files that
have changed are copied. Two types of partial backups exist. The
incremental backup marks the copied files as being backed up, and
subsequent incremental backups copy only files modified since the
previous incremental backup. Differential backups also back up files
that have changed since the last backup, but because these newly
backed files aren’t marked as being backed up, each subsequent
backup also includes them.
Examples of both incremental and differential backups are illustrated
in Figures 8.1 and 8.2. In Figure 8.1, a complete backup is made
on Saturday, which is then followed by differential backups during
the week. On Sunday, two files, productinfo1.dat and
customerinfo2.dat, are modified. The differential backup made on
Sunday includes only these files and does not mark them as backed
up. On Monday another file, vendorinfo1.dat, is changed. The
Monday backup therefore includes productinfo1.dat,
customerinfo2.dat, and vendorinfo1.dat. pdata1.dat and
pdata2.dat are modified on Tuesday and included in Tuesday’s
backup along with the other three files.
Figure 8.2 shows the same systems, except this time an incremental
backup is made on Sunday, Monday, and Tuesday. Incremental
backups back up only files changed since the last backup but do
mark the newly backup files as backed up. Sunday’s backup contains
the same files as that of Figure 8.2. Monday’s backup, however,
includes only venderinfo2.dat, and Tuesday’s backup includes
only pdata1.dat and pdata2.dat. So as the week progresses, an
incremental backup backs up less data each day than a differential
backup, resulting in shorter backup times on consecutive days.
10 078972801x CH08 10/21/02 3:40 PM Page 476
FIGURE 8.1
Full weekly backup with daily differential.
1 2 3 4
Wednesday:
drive crash
Saturday:
all files
+ =
In many companies users are not allowed to store data on their desk-
top systems. This removes the issue of backups for desktops. But
what about laptops and PDAs? What about desktop configurations?
If users travel with their systems, they can’t be expected to refrain
from saving data on their machines. Backup systems such as Zip
disks, read/write CD-ROMs, tiny hard drives, and other backup
devices can be used as well as dial-up and Internet connections to
store data. The company, however, must determine the procedures
and policies that govern the backup of data stored on these devices.
10 078972801x CH08 10/21/02 3:40 PM Page 477
FIGURE 8.2
Full weekly backup with daily incremental.
1 2 3 4
Wednesday:
drive crash
Sunday: 2 files Monday: 1 file Tuesday: 2 files
Saturday:
all files
+ + =
Another issue to consider is how and where tapes are stored. Both
onsite and offsite storage should be arranged. Special cabinets and
possibly special protective data safes might be provided.
Hardware Backups
Data is not the only thing that might need to be recovered in the
NOTE
Alternative Sites
In picking alternative sites, many decisions must be made. Site type,
location, size, and length of service must be determined.
Site type is usually defined as one of the following:
á Hot—Completely configured with equipment, systems soft-
ware, and appropriate environment. It is only necessary to
provide personnel, programs, and data, and recovery can be
performed in hours. Usually reserved by paying a subscription
cost, with additional charges for activation and daily use. Not
intended for long-term use.
á Warm—Partially configured with the possibility of having
peripheral equipment such as printers. Arrangements are made
for this type of site if there is a good possibility of quickly
acquiring replacement hardware. Might take days to make
operational.
á Cold—Only the basic environment (wiring, power, air condi-
tioning, and so on) is available. It can take weeks to make
ready, so it is often used as a fall-back site from a hot site—in
other words, a hot site is used while the cold site is being pre-
pared.
10 078972801x CH08 10/21/02 3:40 PM Page 479
Several backup locations are usually used. The reason for multiple sites
is that several types of problems might require the use of backups to
restore systems. Many times a hardware failure requires the restoration
of data. In that case, there is obviously no need to move to an alterna-
tive location and the data should be restored as quickly as possible.
10 078972801x CH08 10/21/02 3:40 PM Page 480
NOTE
Is the Backup Good or Only the
á Information on ensuring the integrity of backup media Header? Tape backup programs use
á The systems that require all files to be closed in order to be different methods to verify the back-
up. Some check only the tape header;
backed up and those that have available special agents that can
others confirm backup data is read-
be used in an online backup
able. If your backup program is only
checking the headers, the backup
Backup recommendations include
could be unusable.
á Use a different tape for every day of the week.
á Create a weekly backup and use a separate tape for each week
of the month.
NOTE
Alternatives to Tape Tape has long
á Verify each tape after creation. been the media backup of choice. It’s
relatively cheap, widely available, and
á Check tapes for errors. Soft errors are recoverable; hard errors well understood. Its main detractions
are not. A new backup on a new tape should be made. have been the time necessary to back
up large amounts of data and the
á If unattended backups are made, make sure errors are logged
respective time to restore it.
to a file. Procedures should include steps for reviewing the log Alternative methods, such as parallel
files. systems, fail-over clusters, and data
á Clean the tapes. vaulting, were developed to deal with
time-critical applications.
á Use high-quality media.
As the cost of other electronic media,
á Change out tapes frequently, retire old tapes, and use new such as hard disk, CD-ROM, and DVD,
media. continues to decline, businesses are
considering and adopting these as the
á Label tapes immediately! Include the date of backup, the con- backup media of choice. Time for
tents, and the machine backed up. backup is reduced as is restore. In
á Use a paper-based log to record when backups were made, some cases, data can be considered
what was backed up, and the location of the tapes. to be online and instantly available. If
these media are being used, backup
á Test backups by doing a restore. Use the hot site if one is con- procedures should be adjusted to
tracted. work with them. Many of the same
issues exist: Who is responsible for
á Log backup errors, exceptions, and anomalies. ensuring they are used? When are
they used? Where are they stored?
Care needs to be taken to ensure that
appropriate copies are kept offsite so
that recovery is possible should disas-
ter require movement to alternative
processing locations.
10 078972801x CH08 10/21/02 3:40 PM Page 482
C A S E S T U DY : D O E S B U S I N E S S C O N T I N U I T Y W O R K ?
ESSENCE OF THE CASE SCENARIO
. A business continuity plan was in place; Yes (and the better your plans, the more likely it
however, the unique way in which employ- is). In the wake of the 9/11 attack on the World
ees responded to a disaster ensured Trade Center, many businesses did not survive.
this company’s continuation and sub- But many did. The World Trade Center offices of
sequent successes. bond trading giant Cantor Fitzgerald LP, were
destroyed, and 180 of its 733 employees were
killed. However, Cantor was ready to trade two
days later—in time for the September 13 reopen-
ing of U.S. Treasury markets.
According to an article in the December 13, 2001
issue of Computerworld (http://www.cnn.com/2001/
TECH/industry/12/13/redundancy.rebound.idg/index.
html) and information on the company’s Web site
(www.espeed.com), Cantor was able to do so
because of built-in redundancy provided by its
business-to-business online marketplace and IT
services group, eSpeed (www.espeed.com), and
because of the efforts of remaining eSpeed
employees based in the U.S. and London.
eSpeed had duplicated its IT services in a similar
data center in the U.S. and was working toward
uninterrupted uptime by linking both locations.
Although that goal was not in place, each data
center ran some of the services all the time, and
periodic duplication of data from one to the other
was ongoing. Additional backup facilities were pro-
vided by the London location.
Although the attack broke connections for U.S.
customers, customers in Europe and Asia were
unaffected. eSpeed also lost connections to
banks, which meant it could not fulfill trade set-
tlements.
10 078972801x CH08 10/21/02 3:40 PM Page 483
C A S E S T U DY : D O E S B U S I N E S S C O N T I N U I T Y W O R K ?
After the attack, employees worked around the Employees were successful. The company is
clock to make sure the business could continue. doing well today and is caring for the families of
They did so, they say, not because their jobs the lost employees with health insurance and
required it, but because they felt it was a way to other benefits.
reclaim what had been taken away. Nothing could
restore the lives of those who died, but those
who lived felt they could honor them by keeping
A N A LY S I S
the company going. It would be nice to say that recovery was due to
complete business continuity planning, but that
Shortly after the attack, trade settlement was was not the case. Outsourcing was not planned
outsourced to Automatic Data Processing (ADP). and practiced as part of a disaster recovery plan.
When the markets reopened, eSpeed was open Nevertheless, it was accomplished in just two
for business and accepted the trades. Because days. Redundancy, dedicated employees, and the
bank reconnections were not completed by that efforts of ADP made accomplishing the task pos-
time, however, it outsourced output to ADP for ful- sible. It almost seems—and the stories available
fillment. for viewing on the eSpeed Web site verify—that
the camaraderie and dedication of the employees
was at least as important to the recovery efforts
as the formal plan was.
CHAPTER SUMMARY
The business continuity planning and disaster recovery planning
KEY TERMS
domain encompasses those activities required to ensure business sur-
vival in the face of events that interrupt its activities. Although the • Business continuity planning (BCP)
restoration of data processing and the recovery of computer opera- • Business impact assessment (BIA)
tions are significant parts of that effort, technology recovery is not • Business resumption planning
the entire story. Other business processes need to be evaluated, and
their resumption planned, if a business is to survive. Business conti- • Co-location
nuity planning might be best described as the merger of disaster • Cold site
recovery planning and business resumption planning.
• Cooperative hot site
• Create and ship
• Data duplexing
• Data mirroring
• Data vaulting
10 078972801x CH08 10/21/02 3:40 PM Page 484
CHAPTER SUMMARY
• Differential backup
• Disaster recovery planning (DRP)
• Fail-over cluster
• Federal Emergency Management
Agency (FEMA)
• Full backup
• Full recovery test
• Hierarchical storage management
(HSM)
• Hot site
• Hybrid site
• Incremental backup
• Maximum tolerable downtime
(MTD)
• Mobile site
• Nonessential records
• Parallel test
• Partial backup
• Physical safeguards
• Procedural safeguards
• Recovery point objective (RPO)
• Recovery time objective (RTO)
• Redundant array of inexpensive
disks (RAID)
• Redundant site
• Shunt trip
• Structured walkthrough test
• System downtime
• System outage
• Verify backup
• Vital records
• Warm site
10 078972801x CH08 10/21/02 3:40 PM Page 485
A P P LY Y O U R K N O W L E D G E
Exercises 2. Rate these sites by analyzing the information they
provide versus the marketing hype they offer.
8.1 Researching Business Continuity Plans Which companies can provide evidence of their
plans? Or, do the companies simply make
The purpose of this exercise is to rate company plans promises? Create a chart, such as the one shown
for business continuity. here, that includes your ratings. Evaluate the
Estimated Time: 1 hour results.
http://www.disasterrecovery.com/ Contains a lot of information A very good section on legislation and what
is required as far as disaster recovery
http://www.riskconsult.com/home.html Insurance/risk Several articles on insurance, risk assessment
http://www.apexdm.com/ Contains just advertising
A P P LY Y O U R K N O W L E D G E
Exam Questions 4. Which requirement is most important during the
analysis of the impact of business interruption on
1. A business impact assessment examines business a particular business process?
processes to determine which of the following?
A. How large the data file is
A. Which business processes are the most
complex B. Current data duplication efforts already in
place
B. Which business processes use computers
C. The amount of money lost for every day of
C. Which business processes are critical to the non-operation
organization’s survival
D. Whether the operation directly impacts
D. Whether a business process needs to be a part customers
of the business continuity plan
5. The first step of any response to a business inter-
2. A successful test of a business recovery plan has ruption event should be what?
which following result?
A. If human life is at risk, evacuate the premises.
A. A pass or fail
B. Call the proper authorities.
B. Demonstrated recovery of data from a backup
C. Secure critical or sensitive data.
C. A visit to the hot site that reveals appropriate
equipment is in place and operational D. Determine the source of the problem.
D. Information that can be used to make the 6. Business continuity planning is iterative. In
plan more effective and knowledge of the which order should events occur?
readiness of the staff and availability of the A. Plan, train, test, revise
equipment necessary
B. Plan, test, train, revise
3. If a total disaster (the business facility is com-
pletely destroyed) occurs, which type of C. Test, train, revise, plan
alternative site is best? D. Plan, revise, test, train
A. Hot site 7. Data management for e-commerce operations
B. Redundant site might include several functions designed to
ensure 24/7 availability. If all of the following are
C. Warm site being used, which of them can be eliminated
D. Cold site without jeopardizing full data recovery in the
event of a disaster?
A. HSM
B. RAID
10 078972801x CH08 10/21/02 3:40 PM Page 487
A P P LY Y O U R K N O W L E D G E
C. Daily backups C. It covers every possible issue and resource
necessary to recover operations.
D. Data vaulting
D. When a disaster occurs, people know what
E. Co-location
to do.
8. What is the first step in developing a comprehen-
sive data management program?
A. Ensure that all data systems are backed up. Answers to Review Questions
B. Determine the location of all data. 1. You can find historical information on natural
C. Determine where critical data is stored. disasters in your location by consulting old news-
papers, historical associations, and municipal
D. Determine which data is most important.
records. Information can also be found on the
9. You need to update a disaster recovery plan that FEMA site (www.fema.gov). See the “What Are
was written when the only computers used in the the Disasters That Interrupt Business?” section
company were mainframes. You are most likely to for more information.
find that which of the following is true?
2. Legal and statutory regulation of some industries
A. Because processing is now distributed, a hot might require a business continuity plan. Federal
site is not necessary. record keeping requirements also should be
checked. See the Introduction for more informa-
B. Because data vaulting is now practiced, data
tion.
backup is no longer required.
3. Disaster recovery planning is the process of creat-
C. Data might reside on user systems, and the
ing a plan for the immediate recovery of technical
plan must address responsibility for the back-
business processes, such as those done by com-
up of this data.
puter. Business Continuity Planning encompasses
D. Individual departments have already devel- this, the mitigation of the effect of business inter-
oped comprehensive disaster recovery plans of ruption, the recovery of all operational business
their own. processes, and the restoration to normal function.
10. What is the most important indicator of a suc- See the section “Quantifying the Difference
cessful business continuity plan? Between DRP and BCP” for more information.
A. Strategies and operations are put into effect 4. A business impact assessment should be complet-
that prevent, reduce, or mitigate the impact ed because it reveals the most critical business
of a disaster on the capability of a business to processes, allows their ranking, and produces a
continue. maximum tolerable downtime for each critical
process. See the section “Business Impact
B. When tested, all operations such as data Assessment” for more information.
recovery, building evacuation, and location of
alternative site personnel are successful.
10 078972801x CH08 10/21/02 3:40 PM Page 488
A P P LY Y O U R K N O W L E D G E
5. A good indicator of whether a process is critical is Problems can be as simple as an accidental dele-
if the business can survive very long without it. tion in an area of the site where the time to
To find this out, you should ask what would hap- restore the data is minimal and can be tolerated.
pen if the process could not be completed for a In addition, what happens if the alternative loca-
certain time period (an hour? a day? a few min- tion is destroyed? See the section “Developing a
utes?); how much money would be lost, not Backup Strategy” for more information.
earned, not collected, and so on; and what other
9. Business recovery planning includes a review of
processes would be affected. See the section
insurance, protective systems, and operational
“Gathering and Charting Information” for more
safety procedures to determine whether they are
information.
adequate. The planning group should always be
6. To determine which resources are necessary to searching for and recommending any additional
recover a process, you have to look at the hard- items or procedure modifications that might pre-
ware, software, personnel, environment, and so vent a business interruption or prevent it from
on that the process is using today. Also important becoming a catastrophe. See the section
is knowledge of its reliance on other processes. “Developing Operational Plans” for more infor-
See the section “Listing Necessary Resources: mation.
Process and Site Selection Criteria” for more
10. A business interruption event is any occurrence
information.
that halts normal business operations. A disaster
7. Plan scope is important for two reasons. First, if is an event that cripples the organization so that
no plan exists, it is best to narrow the plan scope the entire facility is not functional for a long peri-
to more quickly and successfully create the plan. od of time. See the “Hardware Backups” section
Often, choosing an area where disaster preven- for more information.
tion procedures and mitigation can be established
results in visible successes and enables future
planning efforts. Second, management structure,
corporate culture, or other political reasons might Answers to Exam Questions
require some divisional development of plans. See 1. C. Complexity is not a good indicator of the crit-
the section “Determining Recovery Plan Scope” ical nature of a process. The simple process of
for more information. checking picture badges against the person wear-
8. Even though an e-commerce operation is ing them is critical to the security of the business.
co-located, a backup is necessary. Operational This process also does not use computers. Answer
failure is not always so catastrophic as to require D might be an end result of the process but is
immediate change over to the alternative site. not the best answer. See the section “Business
Impact Assessment” for more information.
10 078972801x CH08 10/21/02 3:40 PM Page 489
A P P LY Y O U R K N O W L E D G E
2. D. A simple pass or fail is difficult to determine The real indicator is the financial impact of the
because of the complex nature of the plan and loss of the process. See the “Business Impact
the subjective nature of the process. Failure can Assessment” section for more information.
be proven only if the business goes under, and
5. A. Nothing is more important than human life.
that is impossible to determine in a test. Thus,
The absolute first response should be to prevent
determining what “passing” means is impossible.
loss of life. If the risk is present, evacuate. See the
Recovering data from a backup only proves that
section “What Are the Disasters That Interrupt
the backup tape is good. Many other processes
Business Operation?” for more information.
and events are required in most recovery efforts.
Visiting the hot site can prove that equipment is 6. A. Planning is necessary before testing. Training
ready—at that instant in time. However, each test is the obvious second step. Testing reveals any
of the plan teaches the business more about its need for revision. See the section “Implementing
operation and teaches the people who will need the Plan” for more information.
to perform the operations in the event of a real 7. A. RAID provides fault tolerance. If one disk
disaster. See the section “Testing the Plan” for fails, data on the other disk(s) can be used imme-
more information. diately. Daily backups provide for restoration of
3. B. The redundant site is exactly like the current data should other fault-tolerant methods fail.
facility, so it could more easily and quickly put the Data vaulting provides an additional copy of data
company back into operation. All the other alterna- at another location, and co-location provides a
tive sites lack, or might lack, something that would ready alternative processing site. However, HSM
mean a delay in resumption. (A hot site does not simply manages data, moving older data to less
have your software loaded; a cold site does not have expensive storage mediums. It is not a good back-
computers.) See the section “Determining Recovery up strategy because it does not represent addi-
Plan Scope” for more information. tional copies of data and therefore can be
removed without jeopardizing data recovery. See
4. C. The size of a data file can be important to
the section “Developing a Backup Strategy” for
consider in developing the procedure to deal with
more information.
the operation, but it is not a good indicator of
how critical the operation is. Existing data dupli- 8. B. If you don’t know where all the data is, how can
cation is important because it means that less you manage it? Certainly backup is necessary, but
new expenditure will be required to provide ade- what if you don’t know where all the data is?
quate plans for its resumption. Customer- Knowing where critical data is located is
oriented applications are important and might important—do you know where all of it is?
actually be the most critical because they revolve Knowing which data is most important is also
around sales and the collection of money. vital—do you know where all of it is? See the sec-
However, some applications, such as customer tion “Backup Procedures and Policy” for more
support, less directly impact the bottom line. information.
10 078972801x CH08 10/21/02 3:40 PM Page 490
A P P LY Y O U R K N O W L E D G E
9. C. A hot site might still be necessary. Nothing in 10. D. It is not possible to ever know that all issues have
this description says the mainframe is gone, nor been covered in a plan. Testing reveals whether those
does it indicate that distributed systems might items tested work, but it does not prove the plan.
not be so critical that having an alternative, Mitigation efforts are important but not as impor-
quickly available provisioned site might be tant as what people actually do when faced with a
important. Data vaulting is not a substitute for true disaster. See the section “Testing the Plan” for
backup. Although departments might have plans, more information.
it is unlikely. It is, however, almost a surety that
data resides throughout the company and deter-
mining where it is and how it can be backed up
is now necessary. See the “Determining Recovery
Plan Scope” section for more information.
10 078972801x CH08 10/21/02 3:40 PM Page 491
A P P LY Y O U R K N O W L E D G E
Suggested Readings and Resources
Volume 2, edited by Harold F. Tipton and bcpdr.html (business continuity and disaster
Micki Krause. CRC Press, 2000. recovery Web page of resources and free
papers).
5. Jackson, Carl B. “Reengineering the Business
Continuity Planning Process.” In Information 16. http://www.globalcontinuity.com/ (portal for
Security Management Handbook, Fourth business risk and continuity planning).
Edition, edited by Harold F. Tipton and Micki 17. http://www.rothstein.com/data/index.htm
Krause. CRC Press, 2000. (catalog of disaster recovery books, tapes, CDs,
6. Peltier, Thomas R. Information Security Policies reports, products, and so on).
and Procedures. Auerbach, 1999. 18. http://www.usfa.fema.gov/safety/sheets.htm
7. Vallabhaneni, S. Rao. CISSP Examination (generic safety sheets).
Textbooks, Volume 1: Theory. SRV Professional
Publications, 2000.
10 078972801x CH08 10/21/02 3:40 PM Page 492
11 078972801x CH09 10/21/02 3:38 PM Page 493
OBJECTIVES
9
professional will better be able to design security
systems and execute investigations about security
incidents.
C H A P T E R
OBJECTIVES OUTLINE
S T U DY S T R AT E G I E S
. The best way to learn the material in this chap- . This chapter guides you with questions to con-
ter is to read it with an active mind. Don’t just template as you read. Thinking about the ques-
try to memorize it. Think about it. Notice the tions should help you remember the concepts.
interrelationships between the different sub- . This chapter can’t cover every fact of law, inves-
jects. It is not entirely predictable what subjects tigations, or ethics that might possibly be
might be covered by this portion of the CISSP included on the CISSP exam. It is recommend-
exam. By getting a feel for what is right and ed that as you study sections in this chapter,
wrong, you’ll better be able to select the best you also read the additional reading and back-
answer on each exam question. ground material cited throughout the chapter
and at the end of the chapter.
11 078972801x CH09 10/21/02 3:38 PM Page 496
INTRODUCTION
The topics of this chapter all interrelate. Computer crime laws are
based on rules of ethics. The prosecution of a computer crime
depends on the availability of evidence. And, evidence is gathered
through investigations.
Often, breaches of computer security are also crimes for which per-
petrators can be prosecuted in court. Gathering evidence for prose-
cution therefore might be one of the objectives in a response to a
computer security incident. Some types of evidence are better than
others, and often the difference depends on the techniques used to
gather and preserve the evidence. This chapter shows the relation-
ships between security breaches, law, incident response, and comput-
er evidence forensics. It also introduces the ethical responsibilities of
computer security professionals.
Except as otherwise indicated, the laws addressed in this chapter are
American laws. You should also recognize that this chapter provides
only a very general statement of the law, and nothing in this chapter
is legal advice for a particular situation.
11 078972801x CH09 10/21/02 3:38 PM Page 497
Before you proceed, ask yourself some questions. What should the
law deem to be a computer crime? What must happen before the
government can brand a person as a computer criminal? How
should a court know whether any piece of computer evidence is
what it appears to be and is not fabricated or altered? What proce-
dures or ethical standards should a computer security professional
follow so courts and other law enforcement authorities will believe
what the professional has to say about any particular incident?
FUNDAMENTALS OF LAW
Explain the fundamentals of law.
Laws in the United States are either federal, which apply nationwide
and originate from legislation enacted by the U.S. Congress, or state,
which apply only within the borders of the state in question. Often,
the subject matter covered by federal and state laws can overlap. For
example, unauthorized intrusion into a bank’s computers might vio-
late both the federal and state computer crime laws. The intruder
could be convicted under both federal law and state law, and the law
enforcement authorities having jurisdiction over investigation and
prosecution of the matter might be both federal and state.
Criminal laws authorize the government to punish wrongdoers with
NOTE
financial penalties and incarceration. To convict a suspect under Reasonable Doubt Criminal prosecu-
criminal law, the government must meet a high standard of proof— tion requires a higher standard of
proof—proof beyond a reasonable
proof beyond a reasonable doubt—that the suspect intentionally did
doubt—that the suspect intentionally
something wrong.
did something wrong.
Civil laws, on the other hand, enable private parties to enforce their
rights—such as contract, tort, and property rights—through court
orders and monetary awards for damages. An example of a tort is
negligence, where one party injures another by failing to exercise
ordinary care to avoid injury to the other. To win relief under a civil
lawsuit, a plaintiff must satisfy a lower standard of proof—proof by a
preponderance of the evidence—that she is entitled to relief.
Administrative law allows government agencies to interpret the laws
they administer through official statements or regulations and to
enforce those laws through investigations, fines, and other sanctions.
11 078972801x CH09 10/21/02 3:38 PM Page 498
Pirates who violate these laws can be liable for civil damages to prop-
erty owners and even be subject to criminal prosecution.
As you read about patents, copyrights, and trade secrets, notice that
these intellectual property laws do not protect all the ideas an entre-
preneur might devise.
Patents
A patent grants to its owner the exclusive right to make, use, or sell
an invention covered by the patent. A patent can cover a physical
invention or a business process, such as a unique process executed by
software. To obtain a patent, an inventor must apply to the U.S.
Patent and Trademark Office (USPTO). Often, the inventor must
wait two or three years before the USPTO decides whether to grant
the patent.
Copyrights
Copyright law grants to the owner of a copyright the exclusive right
to copy and make derivative works from the copyrighted material.
Copyright covers expressions of ideas, such as written words, pictures,
sounds, software code, and even live performances. But copyright
covers only the expressions of the ideas, not the ideas themselves. For
example, if an entrepreneur has an idea for a scrumptious pizza
recipe, and she writes that recipe in a book, she then owns the copy-
right to the words in the book (the expression), but she does not own
a copyright to the combination of ingredients and techniques that
are used to make the pizza (the idea). Copyright applies automatical-
ly to original material as it is created. Copyright law grants to copy-
right owners special advantages if they mark their material with
copyright notices and register their material with the U.S. Copyright
Office.
11 078972801x CH09 10/21/02 3:38 PM Page 499
Trade Secrets
Trade secret law allows the owner of a trade secret to prevent others
from using or exploiting the secret. A trade secret might be some-
thing like a customer list or an algorithm for searching through data
on a network. Trade secret law applies automatically to information
a company treats as a trade secret. (It does not apply to a pizza
recipe published in a book because publication makes the recipe no
longer a secret.) To maintain trade secret rights over information,
companies must take steps to ensure the information does not
become known to the public. Therefore, companies protect their
secrets with security methods (encryption, logging copies, and so
on) and by asking employees and business partners to enter agree-
ments of nondisclosure. Theft of trade secrets can be a crime.
Privacy Law
Do people have a general right to privacy of information about
them? Another way to ask the question is this: When can a company
be liable for violating someone’s private information? As you learn
the answer to those questions from the following material, observe
the key role published privacy notices or policies play.
The United States has no comprehensive national law on privacy.
U.S. privacy laws tend to apply on a sector-by-sector basis.
One such sector is healthcare. State laws and the federal Healthcare
Insurance Portability and Accountability Act (HIPAA) generally
require healthcare providers to maintain the confidentiality of
patient information.
The federal Gramm-Leach-Bliley Financial Modernization Act
requires financial institutions to give customers notice about how
their private information will be protected or shared with third par-
ties. Under the act, financial institutions are free to share informa-
tion so long as they give customers notice and, in some cases, the
opportunity to opt out of information sharing. Failure of an institu-
tion to abide by its notice can lead to liability.
The Privacy Act limits the ability of federal government agencies to
disclose to the public or other agencies information they have about
individual citizens.
Generally, no American law requires that companies post privacy
NOTE
Privacy Policy Liability Failure of a policies with respect to people who visit their Web sites. However,
company to abide by its published pri- many companies do elect to post privacy policies to make visitors feel
vacy policy can lead to liability. more comfortable. Such a policy might say something to the effect
that the company will not share with third parties private informa-
tion collected from visitors. This policy is like a contract, and failure
on the part of the company to comply with it can lead to civil liabili-
ty. For example, US Bancorp paid a total of $7.5 million to settle
charges that it used private customer data in violation of a privacy
policy it posted on its Web site. See http://www.ag.state.mn.us/
consumer/Privacy/PR/pr_usbank_07011999.html, http://
www.ag.state.mn.us/consumer/Privacy/PR/pr_usbank_06091999.html,
and the September 1, 2000, press release at http://www.firstar.com/
about/ii-news-fr.html.
11 078972801x CH09 10/21/02 3:38 PM Page 501
Government Regulations
Some specific laws mandate that enterprises institute information
security controls.
The federal Foreign Corrupt Practices Act (FCPA) requires publicly
owned companies to maintain adequate books and records and an
adequate system of internal controls. Normally, the FCPA is
enforced as administrative law by the U.S. Securities and Exchange
Commission.
The federal Gramm-Leach-Bliley Financial Modernization Act, and
official guidelines published under the act, require financial institu-
tions to implement a security program to safeguard private customer
information in their possession. See, for example, the guidelines
published for banks by the Office of the Comptroller of the
Currency at 12 Code of Federal Regulations Part 30, Appendix B.
To stem the transfer of military or strategic capabilities to undesir-
able countries, the U.S. Export Administration Regulations require
that exporters obtain licenses before they export certain high-
performance computers and microprocessors, as well as strong
encryption. The U.S. Commerce Department’s Bureau of Export
Administration (BXA) administers and enforces these export con-
trols. Noncompliance can lead to administrative sanctions and
criminal penalties. Accordingly, software containing cryptography
functions commonly comes with a license that forbids the licensee
from taking the software outside the United States.
11 078972801x CH09 10/21/02 3:38 PM Page 503
á Government records
NOTE
Advance Planning
A critical element to incident response is to establish an incident
plan in advance. Advance planning allows the establishment of pri-
orities, the training of employees before a crisis hits, and the best
preservation of legal evidence. Among the steps needed in an
advance plan of action are
á Centralize management of the attack so all of the response can
be coordinated.
á Designate a single person to receive and analyze reports of sus-
picious or abnormal activities.
á Make a list of whom to notify.
á Set procedures for identifying, analyzing, and responding to
the attack.
á Decide how and when to escalate the response to an attack if it
grows worse.
á Designate who has responsibility for which tasks and who
within your organization is to be kept informed and mobilized.
11 078972801x CH09 10/21/02 3:38 PM Page 507
NOTE
Coordinating with Other Functions
á Establish priorities if there is a tradeoff between preserving evi- Within the Organization Response
dence and keeping systems in production. to a security incident might require
coordination with nontechnical officers
á Become familiar with the relevant law enforcement authorities
within the organization. Public rela-
and information sharing organizations in advance, and deter-
tions staff might need to manage how
mine which ones to notify at which time.
the incident is reported to the media
á Recognize that a security incident could be more than a or customers. If an employee is
technical matter and might warrant coordination with public involved in the incident, the human
relations people, corporate attorneys, human resources (if resources department might need to
guide the process by which the
employees are involved), and upper management.
employee is confronted and the inci-
á Reevaluate security, personnel, and the incident response plan dent is documented. Upper manage-
after particular incidents occur. Plans should be regularly ment might need to be alerted so the
reviewed and updated. necessary resources are made avail-
able
Industries and governments have various organizations to collect and
disseminate information about computer attacks. Two such organi-
zations are InfraGard (http://www.infragard.net/) and Internet
Storm Center, at the SANS Institute, (http://www.incidents.org/).
Some corporate and government information systems are under
attack constantly. How does management decide which attacks to
report? Generally, the events to be reported are those that have a
substantial impact on an organization (such as damage to assets or
reputation) or that are unusual and noteworthy.
See the CIO Cyberthreat Response and Reporting Guidelines posted
at http://www.cio.com/research/security/response.html for more
information on reporting of incidences.
STEP BY STEP
9.1 Classic Computer Crime Investigation from the
Perspective of Security Professionals in an
Enterprise
1. First, you must detect the intrusion. Detection might
come from suspicious or abnormal activity spotted
through accidental discovery, audit trail review, or
security-monitoring software.
2. Next, you must do whatever is necessary to avoid any
additional damage and cut off the potential for liability,
such as liability to trading partners who stand to be dam-
aged by the incident.
3. Report the incident to management, being careful to limit
knowledge of the investigation and use secure channels of
communication.
4. Next is the preliminary investigation, in which you assess
damage, witnesses, and whether a crime has occurred and
determine what the investigation will need going forward.
5. Next, decide whether disclosure of the incident to govern-
ment or the media is desired or required. It might be
mandatory, for example, to disclose bank fraud to banking
regulators.
6. Decide on a course of action, such as tightening of securi-
ty, maintaining surveillance, or seeking prosecution. The
victim enterprise might decide not to pursue prosecution
or further investigation because they can be expensive, dis-
ruptive, and even embarrassing.
7. Next, assign responsibility for conduct of the investiga-
tion, whether it is to internal staff, external consultants, or
law enforcement. Issues to consider are cost, investigation
control, legal obligations and objectives, and the risk that
information about the incident will leak. A possible
advantage to using a private investigator rather than law
enforcement is that law enforcement often must obtain
search warrants (issued by a court) to support its searches
and seizures. However, law enforcement can possess
greater search and investigation capabilities.
11 078972801x CH09 10/21/02 3:38 PM Page 509
NOTE
The Cost of Investigating and
Prosecuting As a victim enterprise
11. Evaluate the risk to the target system before seizing it,
evaluates the cost of a crime investi-
including anticipated reaction of the suspect and the risk
gation, it should remember that the
that evidence will be destroyed. cost can involve more than what
12. Execute the seizure plan. Secure and search the location, occurs in the investigation itself. After
preserve evidence, record each action (such as in a note- the investigation gathers evidence, it
book), videotape the process, photograph the system con- can lead to criminal proceedings in
court. The proceedings are normally a
figuration and monitor display, and move the system to a
discovery phase, a grand jury phase,
secure location.
and a trial phase. The court proceed-
13. The final step is to prepare a detailed report documenting ings can require the production of
facts and conclusions. documents and collection of further
evidence, as well as the delivery of
testimony. All these can consume con-
siderable employee time and might,
The source for the previous list appears at www.cccure.org/ as a practical matter, be a deterrent
Documents/Ben_Rothke/Law-Invest-Ethics.ppt. Refer to it for more to reporting in the first place.
detail.
LEGAL EVIDENCE
Explain the laws of evidence and introduce techniques for
obtaining and preserving computer evidence.
11 078972801x CH09 10/21/02 3:38 PM Page 510
To help keep weak evidence out of court, the rules of evidence hold
NOTE
that evidence must be established as authentic, not hearsay, and Professionalism in Gathering
compliant with the best evidence rule. The concepts of authenticity, Evidence The evidence that is most
hearsay, and best evidence rule should be understood more as rules powerful in court is that which is cap-
of thumb rather than hard rules that are followed slavishly in court. tured in a logical, controlled fashion.
Proof of Authenticity
To be authentic, evidence must be supported by something showing
that the evidence is what it purports to be. Proof of authenticity
need not necessarily be extremely strong to support admission in
court. In other words, for admissibility purposes, proof of authentic-
ity does not necessarily require military-grade security. But if proof
of authenticity is weak, the trier of fact might assign the evidence lit-
tle or no weight.
Hearsay
The “hearsay rule” excludes from court a statement made outside
the court that is repeated for the purpose of showing the statement
is true. For example, a letter from Jane that says, “Bill bought a car
in July,” is hearsay if it is offered in court as evidence that Bill did
buy a car in July. However, the hearsay rule has many exceptions.
One of those exceptions is that records kept in the ordinary course
of business are admissible even though they are hearsay. Very often,
business computer records are admitted into court (even though
they are technically hearsay) because they were created in the ordi-
nary course of business. Creation of records in the ordinary course
of business implies a disciplined, logical method to record-making.
When an electronic writing is at issue, you can most easily satisfy the
NOTE
Segregation of Duties Makes for a best evidence rule with respect to that writing by persuading the
Good Chain of Evidence The famous court that the evidence being offered is an accurate representation of
case United States v. Poindexter (Crim.
the writing.
No. 88-0080-1) (D.D.C. 1990) illus-
trates the use of computer evidence in The best evidence rule should not be understood as requiring that
court. The evidence consisted of the best or most direct evidence be admitted in court. However, as
records of email in a closed, local area
stated previously, direct evidence does carry more weight than
network. The records were stored on
magnetic tape, under the supervision circumstantial evidence.
and custody of the network administra-
tor. The court admitted and relied on
the records, but only after the adminis-
trator testified about the reliability of the
Chain of Evidence
system and the controls in place to pro- Controls are practical measures that reduce the chance records are
tect the records. The administrator was changed or corrupted. Examples of controls are audit trails and
a neutral party and therefore had duties
segregation of duties. Audit trails are detailed records of a process,
that were segregated from the people
who created and relied on the email in showing what happened, when, where, and how. Segregation of
question. He established that the tapes duties means having one person in charge of one part of a record-
stayed under his control (locked in his making process and having an independent person responsible for
office) and therefore that a good chain another part of the process. The presence of better controls makes
of evidence supported the records. computer records more believable. Controls denote logic, discipline,
and accuracy.
One form of control is a chain of evidence (also known as chain of
NOTE
NOTE
Computer Forensics to Assess Email
The Fourth Amendment to the U.S. Constitution protects citizens Evidence Suni Munshani v. Signal
from unreasonable searches and seizures by government. Therefore, Lake Venture Fund II, LP
law enforcement normally needs a court-issued warrant before (Massachusetts Superior Court, Civil
searching or seizing evidence, although there are exceptions, such as Action No. 00-5529 BLS) demonstrates
the use of computer forensics in a dis-
when evidence is in plain view.
pute over Internet email. Plaintiff
Issuance of a warrant usually requires showing a judge that law Munshani sued the defendant company
enforcement has probable cause to believe the evidence is relevant to claiming that the company’s CEO
a crime. After a warrant is issued, the search for evidence should stay promised to grant him warrants for pur-
chase of stock at a favorable price in
within the terms of the warrant. If law enforcement believes more
exchange for the plaintiff’s work for the
evidence is available, it should obtain a warrant for that additional company. To support his claim, the
evidence. Under the exclusionary rule, evidence obtained in viola- plaintiff produced an email record pur-
tion of the Fourth Amendment is excluded from court. The purpose porting to make the promise. The
of the exclusionary rule is to penalize law enforcement if it violates defendant, on the other hand, proved
the Fourth Amendment. the email record was fake by producing
a thorough forensic analysis of the
plaintiff’s and defendant’s email logs.
The analysis showed that the plaintiff’s
COMPUTER FORENSICS record was an alteration of an authen-
tic email. Anomalies in the email head-
Introduce techniques for obtaining and preserving comput- ers, together with a date stamp that
er evidence. was five months too late, showed the
plaintiff’s record to be a forgery. See
Forensics is the use of science and technology to investigate and the court order, the forensic report, and
establish facts that can be used in court. When using forensics for explanatory articles at http://
computer incidents, the one objective is to preserve evidence from www.signallake.com/litigation.
the earliest moment possible. The source of this information is the
article “Email Tampering, This Time the
Collection and preservation of evidence is best performed by foren-
Good Guys Won,” by M. Weingarten
sics experts with special training. Consider calling in outside experts.
and A Weingarten, which appeared in
Still, staff who are not forensics experts can aid an investigation by the January 2002 issue of Business
keeping a disciplined, detailed journal of what happened during an Communications Review.
incident and when the events occurred. Secure files that log activities
on a network can be powerful evidence for use in investigations and
court. The more extensive the logs, the better because extensive logs
signify discipline and diligent effort. Ideally, the logs would be main-
tained all the time, not just in response to an incident. (By maintain-
ing them all the time, you increase the chance a court will view them
as routine business records that are exempted from the hearsay rule,
which was discussed earlier in the chapter in the “Legal Evidence”
section.) The logs are more credible if their integrity is protected with
such measures as digital signatures; secure time stamps; segregation of
duties; and the use of dedicated, separate computers.
11 078972801x CH09 10/21/02 3:38 PM Page 514
Practical Forensics For more infor- ual should be designated to coordinate the entire process and ensure
mation on the practical use of com- that all procedures are followed. A detailed, chronological notebook
puter forensics, see Illena Armstrong’s should be kept of all steps followed to collect and transport evidence.
article “Computer Forensics, Tracking
Tamper-proof copies of evidence should be made by properly trained
Down the Clues,” which appeared in
personnel, using competent tools. Evidence should be sealed, tagged,
the April 2001 issue of SC Magazine
(http://www.scmagazine.com/
and logged into the incident notebook. Evidence must be stored in a
scmagazine/2001_04/cover/
secure location, and every time the evidence is moved or examined,
cover.html). details should be recorded in the evidence notebook. These efforts are
the earmarks of a disciplined, credible effort to gather evidence.
Even when a company calls law enforcement to collect evidence, the
company should have its own private investigators making copies of
NOTE
Step By Step 9.2 outlines the techniques you should use to examine
a PC.
STEP BY STEP
9.2 PC Examination Checklist
1. Before starting a computer forensics examination, get
appropriate authority from corporate management. If the
investigator is in law enforcement, a court-issued search
warrant might be necessary.
11 078972801x CH09 10/21/02 3:38 PM Page 515
FIGURE 9.1
A careful forensic investigator photographs the
system’s location and general setup before
moving the computer.
continues
11 078972801x CH09 10/21/02 3:38 PM Page 516
continued
4. Transport the computer to a secure location.
5. Boot the computer without booting from the suspect hard
drive itself. Boot from a floppy, or remove the hard drive
and examine it using a separate computer dedicated to
forensic examination.
6. Using forensic software, make a bit-stream image of the
NOTE
Best Practices For more information suspect drive; then run a hash of the suspect hard drive
about how to handle the examination and the image to confirm the data in the two are the
of a PC, see the article “Best
same. Next, document the system date and time. Forensics
Practices for Seizing Electronic
software can then be used on the image copy to run key-
Evidence: A Joint Project of the
International Association of Chiefs of
word searches through files, free space, and slack space.
Police and the U.S. Secret Service” Popular forensic software packages include AccessData
at www.treas.gov/usss/ Development’s Forensic Toolkit (FTK), Guidance’s
electronic_evidence.htm. EnCase, and NTI’s SafeBack.
It is better to analyze a mirror image of the contents on a
drive than the contents actually on the drive. By analyzing
the mirror image, the forensic investigator avoids altering
the original data.
For more information on the elements in Step By Step 9.2, see the
following:
á “Digital Forensics: Crime Seen,” an article by Bill Betts that
appeared in the March 2000 issue of Information Security
Magazine (http://www.infosecuritymag.com/articles/
march00/cover.shtml).
Step By Step 9.3 shows you the steps a computer forensic expert
should take when analyzing what is on a computer.
11 078972801x CH09 10/21/02 3:38 PM Page 517
STEP BY STEP
9.3 The Steps of a Computer Forensic Analysis
1. Make a bit-level image copy of the suspect disk.
2. Make a cryptographic hash or digest of the disk as a
whole and all directories, files, and disk sectors.
3. Perform analysis in a secure environment.
4. Use forensics software to find hidden, deleted, or
encrypted files.
5. Boot the suspect system with a trusted operating system.
Run a complete system analysis.
6. To discover any background or malicious programs and
learn of any system interrupts, reboot the suspect system
with its original operating system.
7. Examine backup media, such as CDs or floppies.
8. Investigate any files that are protected with passwords or
encryption. Techniques such as password crackers and
interviews of suspects can lead to the opening of files.
COMPUTER ETHICS
Discuss computer ethics.
What is the relationship between criminal law and ethics? Should
the principles stating what is and is not criminal be similar to the
principles of what is and is not ethical? Recall the Computer Fraud
and Abuse Act discussed earlier. Compare it to the Request for
Comments (RFC) 1087 titled “Ethics and the Internet,” published
January 1989 by the Network Working Group of the Internet
Activities Board.
11 078972801x CH09 10/21/02 3:38 PM Page 518
One of the guidelines in the (ISC)2 Code requires that a CISSP avoid
NOTE
conflicts of interest. A conflict of interest occurs when a professional Study Ethics Code You should study
owes loyalty to two different people who have competing interests, the (ISC)2 Code of Ethics thoroughly. It
such as the professional’s employer versus a vendor to the employer is not written as a black-and-white set
or the employer versus the professional’s own self interest. For exam- of detailed rules, but rather as gener-
al principles intended to promote
ple, a computer security professional has a conflict of interest if her
good ends, such as professionalism,
employer asks her to investigate the presence of gambling over the
truthfulness, and safe computing
employer’s information systems when the professional is one of those practices.
who has in fact been participating in the gambling activities.
Computer ethics should be promoted within organizations through
training and published reminders to end users. Employee manuals
should include material on computer ethics.
C A S E S T U DY : P R O V I N G C O P Y R I G H T I N F R I N G E M E N T
ESSENCE OF THE CASE SCENARIO
. Bill’s employer suspects a thief is stealing Bill is a CISSP employed by XYZ Music, an online
its proprietary data. broadcaster of live concerts. XYZ suspects that
. The thief is encrypting its data. Loco Music has found a way to break the encryp-
tion XYZ uses to scramble its broadcasts and cap-
. Is it legal and ethical for Bill to intercept ture the content so that Loco can resell it as an
the thief’s data and break the thief’s encrypted product to a small group of elite clients.
encryption? But XYZ has no proof that Loco is doing this.
Bill knows how to break Loco’s encryption. He
suspects that if he taps into Loco’s Internet
transmission and breaks its encryption, he will
have proof that Loco is stealing content from
XYZ. Bill plans to log the results as evidence. Is
Bill about to embark on a wise plan of action?
11 078972801x CH09 10/21/02 3:38 PM Page 521
C A S E S T U DY : P R O V I N G C O P Y R I G H T I N F R I N G E M E N T
A N A LY S I S Bill should be careful about “tapping” into Loco’s
Bill is about to venture into dangerous waters. transmission. If, for example, he goes to a server
Although Loco might be infringing XYZ’s copyright owned by Loco and accesses the transmission
and might be violating the Digital Millennium without authority, he might be violating the
Copyright Act, Bill does not know that. What’s Computer Fraud and Abuse Act, the Wiretap Act
more, Bill himself will be at risk of infringing and state computer crime laws, as well as RFC
Loco’s copyright and of violating the DMCA. When 1087’s ethical teaching that Internet users are
he breaks Loco’s encryption, he might be defeat- not to seek unauthorized access to Internet
ing a security measure that Loco applies to pro- resources.
tect its own copyrighted material, some or all of As a CISSP, Bill has an ethical duty to avoid
which might legitimately be owned by Loco. unlawful professional conduct.
CHAPTER SUMMARY
It’s hard to predict precisely what legal and investigation material
KEY TERMS
will be covered on the exam. Technology, law, and methods are
changing, and even experts can disagree on what is right, what is • Authenticity
wrong, what is important, and what is not important. It is hoped • Best evidence rule
that you gain an intuitive sense of the subject by studying this chap-
ter and the materials cited in it. • Chain of evidence or chain of
custody
This chapter introduced the intellectual property concepts of patent,
copyright, and trade secret and explained that serious copyright and • Conflict of interest
trade secret violations can be crimes. It identified other key • Copyright
American computer crime laws: the Computer Fraud and Abuse
• Digital Millennium Copyright Act
Act, the Wiretap Act, the Electronic Communication Protection
Act, and the Digital Millennium Copyright Act. • Directive on data protection
The motivations for and responses to computer attacks were intro- • Exclusionary rule
duced. The key to good response to an incident is to have a plan in
• Fair information practices
place in advance, so procedures, contacts, and priorities don’t have to
be worked out in a crisis. • Forensics
A prime objective of a computer crime investigation is to collect and • Hearsay
preserve legally useful evidence. Organization, logic, and thorough • HIPAA
documentation are the qualities that will win the results of an inves-
tigation favor in court.
continues
11 078972801x CH09 10/21/02 3:38 PM Page 522
A P P LY Y O U R K N O W L E D G E
Exercises Review Questions
1. What factors should be considered before a
9.1 Connecting the Key Principles
computer security incident occurs?
Reread this chapter, and look for the key philosophical 2. What are some leading laws requiring businesses
principles that apply to each of the topics covered here. to secure their information resources?
Notice the interrelationships between the principles in
each of the topics. Write sentences describing the inter- 3. How does a company protect its rights to trade
relationships you see; the process of writing will help secrets?
you remember as you prepare for the exam. 4. What are the prerequisites to prosecuting a
Estimated Time: 30 minutes suspect for a crime?
5. What are the essential provisions of the
Answer to Exercise 9.1: Computer Fraud and Abuse Act?
1. Notice how computer crime law is based on ethi-
cal principles of good computer practices. 6. What are the key ethical principles for a
computer security professional?
2. Also note how the purpose of evidence law is to
find credible representations of fact, and the evi- 7. Identify basic principles of fair information
dence of computer activities that is most credible practice.
is that which is gathered according to disciplined, 8. How does one make a chain of evidence?
methodical procedures.
3. The best forensic techniques emphasize logical,
controlled steps for securing evidence and memo-
rizing it in records. Exam Questions
4. Notice that privacy is achieved by following logi- 1. Which of the following is not always required for
cal, disciplined steps to notify individuals about the government to secure a criminal conviction of
how their private information will be used. a suspect?
Privacy is about being honest and truthful, which A. A confession signed by the suspect
are ethical qualities expected of CISSPs.
B. Evidence that the suspect broke a
5. Finally, you should have learned how third parties criminal law
can promote desired results in information man-
C. A specific law stating that the act committed
agement. Segregation of duties makes records
by the suspect was a crime
more credible. And privacy is protected by
requiring law enforcement to seek approval from D. Evidence that the suspect acted with intent
an independent third party (that is, a court)
before a search of private information is
conducted.
11 078972801x CH09 10/21/02 3:38 PM Page 524
A P P LY Y O U R K N O W L E D G E
2. A police officer suspects Joe is using his computer B. A security manager says she will advocate that
to break into Acme, Inc.’s corporate information her company purchase a certain security
systems. The officer seizes Joe’s computer and product if the vendor sponsors her vacation
conducts a careful forensic analysis of the data on a cruise ship.
stored on Joe’s hard drive. Later, when Joe is
C. A security manger, in accordance with his
being prosecuted in court, the judge determines
company’s published policy, reviews the con-
that the police officer should have obtained a
tent of employee email on company servers.
search warrant before seizing and searching Joe’s
computer. What is the judge likely to do? D. A security manager misleads a journalist to
protect her company’s interests.
A. Convict Joe of violating the Computer Fraud
and Abuse Act. 5. Which of the following is least likely to be a
crime?
B. Conduct his own forensic analysis of Joe’s
computer. A. Imitating a new competitor’s business strategy
C. Exclude from court the evidence obtained by B. Selling pirated music
the police officer from Joe’s computer. C. Stealing a competitor’s secret method for
D. Levy a fine against Acme, Inc. organizing a database
3. Armed with a warrant for searching and seizing a D. Exceeding authority on public ISP servers to
suspect’s computer, a police investigator enters a view private email records
suspect’s home and prepares to seize his computer 6. An IS employee on duty Sunday night discovers
for further investigation. The computer is turned an unfolding computer security incident. What
on. What should the investigator avoid doing? would be the best source of information on what
A. Photographing the computer the employee should do?
B. Tagging the cables coming from the computer A. A leading textbook on computer security
so the investigator can remember which cable B. The Computer Fraud and Abuse Act
was plugged into which port
C. The FBI
C. Shutting down the computer’s operating
system D. An incident response plan previously estab-
lished by the employee’s management
D. Removing the computer to the investigator’s
facilities for careful analysis 7. Which is typically not part of a computer forensic
investigation?
4. Which is least likely to be an ethical violation?
A. Making a mirror image of a subject comput-
A. Under the direction of the CEO, a security er’s hard disk
manager destroys records of the CEO’s
wrongdoing. B. Erasing corrupted files
11 078972801x CH09 10/21/02 3:38 PM Page 525
A P P LY Y O U R K N O W L E D G E
C. Searching for hidden data in slack space or Answers to Review Questions
attached to the end of files
1. Before a security incident occurs, advance plan-
D. Moving a subject computer to the investiga- ning and training are critical. The plan should
tor’s office address your organization’s priorities and the
8. After a security incident begins, you set up a tradeoffs between the collection of evidence for
facility for logging data as evidence of what is prosecution and the maintenance of systems in
happening. After you start the logging process, production. The plan should address whom to
you think of a way in which a clever hacker could notify and when. For more information, see the
defeat or corrupt the logged data. Which is the section “Advance Planning.”
better course of action? 2. The following are laws requiring information
A. Preserve the log as is. security on the part of corporations: the Foreign
Corrupt Practices Act, the Gramm-Leach-Bliley
B. Destroy the log. Financial Modernization Act, and the Healthcare
C. Obtain advice by submitting an inquiry to Insurance Portability and Assurance Act
the (ISC)2 ethics committee. (HIPAA). For more information, see the section
“Government Regulations.”
D. Notify the Internet Storm Center at the
SANS Institute (http://www.incidents.org/) 3. A company that wants to maintain the value of
of how the log might be corrupted. its trade secrets endeavors to keep the secrets a
secret. It enters nondisclosure agreements with
9. Which of the following is not part of a typical
employees and trading partners who need to
chain of computer evidence?
know the secrets. It also protects the secrets with
A. Making a mirror image of data on a hard disk encryption and copy controls. For more informa-
tion, see the section “Trade Secrets.”
B. Storing data media in protective bags, labeled
with date, time, place of origin, and identity 4. To convict a suspect of a crime, the suspect must
of custodian have intentionally committed an act that was pre-
viously defined by law (normally a statute passed
C. Videotaping the installation of a new PC
by Congress or a state legislature) as a crime. A
D. Detailing in a notebook the methods used to prosecutor must produce evidence to a court
collect, protect, and store data showing, beyond a reasonable doubt, that the
suspect committed the act. For more informa-
tion, see the section “Criminal Law and
Computer Crime.”
11 078972801x CH09 10/21/02 3:38 PM Page 526
A P P LY Y O U R K N O W L E D G E
5. The Computer Fraud and Abuse Act forbids Answers to Exam Questions
knowing, unauthorized access to a computer of
the U.S. government or a financial institution or 1. A. To secure a conviction, the government needs
which is used for interstate or foreign commerce, proof that the suspect intentionally broke a spe-
if that access leads to any of the following: classi- cific criminal law. A confession can be the proof
fied or national security-related information, required. But if the suspect does not confess, the
records of a financial institution, government government can prove its case by other means.
records, information on a computer involved in For more information, see the section “Computer
interstate commerce, an effect on the govern- Law and Computer Crime”
ment’s use of the computer, fraud, damage, traf- 2. C. When the judge determines that the police
ficking in passwords, or extortion. officer should have obtained a search warrant in
For more information, see the section “Criminal advance, the judge is in effect saying that the offi-
Law and Computer Crime.” cer violated Joe’s right under the Fourth
Amendment to be free of unreasonable searches
6. These summarize the CISSP’s ethical duties: Do and seizures by the government. A typical remedy
protect society and infrastructure; do behave hon- when the Fourth Amendment has been violated
estly and legally; do deliver professional service; is to exclude from trial any evidence the govern-
and do uphold the profession. For more informa- ment obtained through the illegal search and
tion, see the section “Computer Ethics.” seizure. For more information, see the section
7. An individual who is the subject of collection of “The Fourth Amendment.”
personally identifiable information should have 3. C. When a forensics investigator seizes a comput-
right to the following: notice about which data er that he finds turned on, normally the best way
will be collected and how it will be used; choice to shut down the computer is to unplug it from
about whether data will be collected; access to its power source. Shutting down the operating
collected data; reasonable protections for accura- system can alter or destroy evidence on the com-
cy, integrity, and security of collected data; and puter. For more information, see the section
rights to seek redress for abuse of data. “Computer Forensics.”
For more information, see the section “Privacy Law.” 4. C. The manager does not violate the privacy
8. There is no single way to make a good chain of rights of employees by examining their email
evidence. A chain of evidence is persuasive docu- where the company has told employees (such as
mentation and procedures that show a court through a published policy) that their email is
where evidence came from, how it was stored and not private. Ethical rules do forbid security pro-
protected, who stored and protected it, and that fessionals from destroying important data (which
it was not tampered with. The chain can include is dishonest), maintaining a conflict of interest,
chronological notes in a notebook, secure storage or lying. For more information, see the section
facilities, labels on storage media, time stamps, “Computer Ethics.”
and employee training. For more information, see
the section “Chain of Evidence.”
11 078972801x CH09 10/21/02 3:38 PM Page 527
A P P LY Y O U R K N O W L E D G E
5. A. A company usually has no right to exclude 7. B. A key objective of a computer forensics inves-
others from copying the way it conducts business. tigation is to avoid altering or destroying data.
But selling pirated music appears to violate copy- For more information, see the section “Computer
right laws. Stealing a secret method appears to be Forensics.”
theft of the competitor’s trade secret, and viewing
8. A. No evidence is perfect. Better to preserve what
email without authority appears to be a violation
evidence is collected than to destroy it. For more
of the Electronic Communication Privacy Act.
information, see the section “Legal Evidence.”
For more information, see the section
“Intellectual Property Law.” 9. C. Typically, a chain of computer evidence is a
series of techniques and procedures for gathering
6. D. A previously established plan should give the
and preserving evidence from a computer that
employee the specific instructions she needs for
has previously been in use. For more information,
her particular facility and should set the priorities
see the section “Chain of Evidence.”
that are important for her enterprise. For more
information, see the section “Advance Planning.”
11 078972801x CH09 10/21/02 3:38 PM Page 528
A P P LY Y O U R K N O W L E D G E
Suggested Readings and Resources
1. Hutt, Arthur E., Seymour Bosworth, and 5. Tipton, Harold F., and Micki Krause, eds.
Douglas B. Hoyt. Computer Security Information Security Management Handbook,
Handbook, Third Edition. John Wiley & Sons, Fourth Edition, Volume II. CRC Press, 2000.
1995.
6. Tipton, Harold F., and Micki Krause, eds.
2. Mcmillian, Jim, “Importance of a Standard Information Security Management Handbook,
Methodology in Computer Forensics,” May Fourth Edition, Volume III. CRC Press, 2001.
2, 2000. This article is available only on the
7. Welch, Thomas. “Computer Crime
Web, at this URL: http://rr.sans.org/
Investigations & Computer Forensics,”
incident/methodology.php.
Information Systems Security, Summer 97,
Vol. 6 Issue 2, p56. (A copy of the article is
3. Staggs, Jimmy. “Computer Security and the
also available on the Web at this URL: http://
Law.” published by SANS Institute on
telecom.canisius.edu/cf/
December 1, 2000. (A copy of the article is
computer_crime_investigation.htm).
available at http://rr.sans.org/legal/
law.php). 8. Winn, Jane K., and Benjamin Wright. The
Law of Electronic Commerce, Fourth Edition.
4. Tipton, Harold F., and Micki Krause, eds.
Aspen Law & Business, 2001.
Information Security Management Handbook,
Fourth Edition, Volume I. CRC Press, 1999.
12 078972801x CH10 10/21/02 3:40 PM Page 529
OBJECTIVES
Physical Security
12 078972801x CH10 10/21/02 3:40 PM Page 530
OBJECTIVES OUTLINE
OUTLINE S T U DY S T R AT E G I E S
Tape and Media Library Retention . Remember that the Common Body of
Policies 553 Knowledge is intended to be “abstract and
stable” and “independent of necessary skills,
tasks, activities or technologies.” When study-
Document (Hard-Copy) Libraries 555 ing, concentrate on general issues (for exam-
ple, what costs and constraints a card access
system imposes as part of a perimeter control
Waste Disposal 556 strategy) and how to apply specific knowledge,
rather than on specifics (for example, character-
istics of various types of smart cards).
Physical Intrusion Detection 559
. Concentrate on how security issues and mea-
sures relate to one another and affect one
another. For example, access control card sys-
Chapter Summary 563
tems affect power supply issues, fire protec-
tion, privacy, staffing, and costs as well as the
obvious issue of keeping the wrong people out
Apply Your Knowledge 565
and letting the right people in.
. Remember that the physical security material in
this chapter is part of a broader picture, and
concentrate on how these topics relate to
material from the other domains.
12 078972801x CH10 10/21/02 3:40 PM Page 532
INTRODUCTION
Physical security refers to the provision of a safe environment for
information processing activities and to the use of the environment
to control the behavior of personnel.
The objectives in this chapter are explained and supported by
observing the categories defined by (ISC)2 and addressing a number
of supporting topics. (ISC)2 groups physical security issues into five
categories. These are
á Facility requirements—Such as site selection and construc-
tion and perimeter control
á Technical controls—Such as card or token systems
á Environmental/life and safety—Such as power and fire issues
á Physical security threats—Such as weather and other natural
events and intentional attacks
á Elements of physical security—Such as sensors and
surveillance
12 078972801x CH10 10/21/02 3:40 PM Page 533
TABLE 10.1
P H Y S I C A L A N D E N V I R O N M E N TA L S E C U R I T Y —
P R E V E N T I V E T E C H N I Q U E S /C O U N T E R M E A S U R E S
Supplies, Materials,
Facility Support and Components
Site location X X X
Perimeter security X X X
Construction standards X X
Security containers X
Drainage water detection X X X
Access control procedures X X X
Doors X X X
Locks, keys, cards X X X
Recognition badges X X X
Access control logs X X X
12 078972801x CH10 10/21/02 3:40 PM Page 535
Supplies, Materials,
Facility Support and Components
Maintenance logs X
Transportation X
Fire protection X X X
Offsite facilities X X X
Waste disposal X
VULNERABILITIES
Understand some of the most common vulnerabilities and
how they affect different asset classes differently.
Vulnerabilities affect assets. A common list of types of vulnerabilities
is “destruction, disclosure, removal, and interruption.” At this level
of abstraction, disclosure makes little sense—these are physical
assets. Information assets (including things such as plans for physi-
cal assets like buildings or surveillance systems) can be disclosed
inappropriately; physical assets themselves cannot.
The primary vulnerabilities of the classes identified here are
á Facility
Destruction:
• Accidental (fire, flood, earthquake, wind, snow,
construction faults)
• Deliberate (vandalism, sabotage, arson, terrorism)
12 078972801x CH10 10/21/02 3:40 PM Page 536
á Support
Destruction:
• Accidental (fire, flood, earthquake, wind, snow,
construction faults)
• Deliberate (vandalism, sabotage, arson, terrorism)
Removal:
• Accidental (equipment failure, public utility outage, fire,
flood, earthquake, wind, snow, construction faults)
• Deliberate (sabotage, vandalism, arson, terrorism)
Interruption:
• Accidental and deliberate are same as previous lists.
á Supplies, Material, and Furniture
Destruction:
• Accidental (fire, flood, earthquake, wind, snow, and so on)
• Deliberate (arson, vandalism)
Removal or Disclosure:
• Accidental (carelessness)
• Deliberate (theft)
Interruption:
• Accidental (fire, flood, and so on)
• Deliberate (sabotage, arson, vandalism, terrorism)
SELECTING, DESIGNING,
CONSTRUCTING, AND MAINTAINING A
SECURE SITE
Know the elements involved in choosing, designing, con-
structing, and maintaining a secure site. Elements include
• Site location and construction
• Physical access controls
• Power
• Environmental controls
• Water exposure problems
• Fire protection and prevention
Here is the crux of the issue: Your ability to physically secure assets
depends on your ability to physically secure the site as well as the
data center. A number of elements contribute to vulnerabilities,
applicable threats, and the countermeasures that can be taken to
mitigate them. In evaluating each site, not everything will be as easy
to control. In studying the principles outlined here, you must realize
that, although some risks can be eliminated or reduced due to prop-
er site selection and facilities construction, we are rarely given that
opportunity—and even these ideal conditions will vanish as time
changes them and new threats appear.
The study of site selection, construction, and maintenance can best
be understood within the framework of the controls available to mit-
igate the vulnerabilities previously described. These controls are
roughly divided into the following:
á Site location and construction
á Physical access controls
á Power issues and controls
á Environmental controls
á Water exposure problems and controls
12 078972801x CH10 10/21/02 3:40 PM Page 539
á Response
á Doors
á Keys, including card systems and other tokens, and window
construction
Passive Controls
Passive measures of access control include doors and locks. The doors
should be of solid construction; making them fireproof can be a
good idea because they then will also be solidly constructed.
Reasonably secure locks are fairly inexpensive, but often are not pro-
vided unless specifically requested. Alarms to indicate that doors are
open might be reasonable measures, if someone is monitoring the
alarms.
There are many types of locks. Combination locks as well as keyed
locks are available in various secure levels. Combination locks are
more difficult to open in normal use, but combinations can be
changed more easily than keyed locks can be re-keyed, and it is
easier to keep track of combinations than of a rack of keys. Also,
even though people can forget combinations, they cannot be lost as
keys can. (Of course, if combinations are written down rather than
memorized, the paper with the combination can be lost!)
For situations in which more sophisticated control is appropriate,
more expensive lock systems—including remote control, magnetic
locking mechanisms, and such—might be advisable. Such systems
often are combined with access cards (“smart” or not) or other
tokens, with or without biometric elements (fingerprints, pictures,
facial bone structure, retina patterns, hand geometry and so forth).
Dumb cards usually have a magnetic stripe that stores roughly 80
bytes, enough for basic personal information and some authorization
codes. Smart cards contain processors and can include several kilo-
bytes of information, enough for considerable biometric data and
detailed records of what the token holder is authorized to do or has
done. Smart cards can include enough processing power on the card
to deal with encrypted communication to the control site, a major
leap forward in security because many types of attacks become
infeasible with encryption technology.
Normally, a computerized control system keeps logs of entry and
exit, and this provides an access log and audit logs without the need
to keep track of paper.
The two major considerations of what type of token to use are cost
and safety.
12 078972801x CH10 10/21/02 3:40 PM Page 543
Costs depend on the type of card and the type of system. Non-smart
cards are not reusable and are cheap. Smart cards cost in the range of
$2 (in large volume) to $7 or $8; specialized cards can be very
expensive. Smart cards usually are reusable, which helps somewhat
to mitigate costs. Generally, a system involving smart cards implies
significant computer and communications capability (between sen-
sors and central database processors) and can be expected to be rela-
tively costly. Where biometrics are involved, the sensors that read
fingerprints, cameras that “look at” faces or retinas, and other bio-
metric sensors also are more costly than simple magnetic strip
readers.
Systems involving biometrics have other issues, such as reliability
and errors. In 2002, biometric sensors are an evolving technology;
false positive or false negative errors usually are in the range of
0.01%–1.0% for the better-developed technologies like fingerprint
readers. This sounds good and is acceptable in some cases (usually
when the traffic volume is relatively low). However, a 1% false posi-
tive rate in an airport with 100,000 passengers daily means 1,000
people are flagged incorrectly every day, or 3 people per jumbo jet—
and there are many airports with far more than 100,000 passengers
daily. Some technologies, such as face recognition, have error rates
closer to 5%.
As is repeated many times in this chapter, risk assessment (related
here to perimeter access control) should identify the threats, vulnera-
bilities, exposures, and an acceptable loss; smart card or other token
systems might be cost-justified.
12 078972801x CH10 10/21/02 3:40 PM Page 544
Power
Computers need electrical power to work. This area is a technical
one in which detailed examinations require specific technical train-
ing, and an expert should be involved in the design process.
The first level of expert is the manufacturer of the computer(s). Pay
attention to what type of power the maker says should be supplied.
Most computers are sensitive to dirty power (a power supply that has
significant voltage variations, interference, and similar variances from
what should be expected). A consideration for microcomputers, for
example, could be other office equipment on the same power line. Some
electric typewriters generate a fairly powerful short surge when the car-
riage return is engaged. Such a surge in computer equipment attached
to the same power line is not good, so protection is needed. The first
rule of computer power usually is “isolation”—the computer should be
on a different line than other office equipment. This rule applies to per-
sonal computers as well as to mainframes. (Practically, manufacturers
have made personal computers relatively insensitive to this sort of power
fluctuation; otherwise, no one could use them at home.)
Power supply conditions should be monitored. Many automatic
devices are available that will keep a record of usage and similar
items. From a security perspective, you should consider the
building’s electrical room as well; penetration here could stop the
computer as surely as penetration into the computer room itself.
12 078972801x CH10 10/21/02 3:40 PM Page 545
Magnetic tapes and plastics such as CDs and DVDs are diffi-
cult to ignite when stored in containers, but they’re also diffi-
cult to extinguish when ignited. Plus, they produce poisonous
combustion products when they burn. If a media storage vault
opens onto the computer room (a very common design, for
excellent efficiency reasons), special attention is needed to
minimize spread of a fire between the equipment and the
media vault.
á Training—Fire regulations should be known and observed by
all employees. Employees should be given training in fire pre-
vention as well as in what to do when a fire does occur. The
training should include instructions about exits, available extin-
guishing equipment, emergency power, and other shutoffs.
á Testing—Fire procedures should be tested periodically with
fire drills. (This is normally required by local regulations. It’s
also a common-sense practice.) There is a risk here: Too few
fire drills will not maintain familiarity with procedures, while
too many will create a “boy who cried wolf ” situation. In the
case of a real fire, people might be slow to respond because
they will think it is yet another drill.
á No smoking policy—For fire risk and other reasons, smoking
should not be allowed around computers. This also applies to
personal computers—the lifetimes of disks in environments
with cigarette smoke might be very short indeed because the
smoke particles can adhere to the media via static and other
charges and cause read errors. Smoking also provides a source
of ignition. Everyone probably has seen the worn tracks in car-
pets where cigarette smoking is common and ashes fall to the
rug; a cigarette dropped into a waste paper box could cause a
very destructive fire.
If prevention does not work, fire protection becomes the issue. The
first thing is to detect the fire. Obviously, you want to detect it while
it is still small and controllable.
Fire-detection systems are common and inexpensive. Ionization-type
smoke detectors react quickly to the charged particles in smoke (remem-
ber what charged particles in cigarette smoke can do to oxide surfaces
on disks). Photoelectric detectors, on the other hand, react to light
blockage caused by smoke, and heat detectors react to the heat of a fire.
12 078972801x CH10 10/21/02 3:40 PM Page 551
Combinations of these detectors can detect a fire very quickly, and often
WA R N I N G
before there is a serious problem. Most local fire codes now require Extinguishing Fires Any attempts
smoke detectors in residences and workplaces; the mass production of to put out a fire must be done by
detectors has brought the costs down drastically. Effective smoke detec- people who have appropriate train-
ing. Choosing the wrong material
tion, including both ionization and photoelectric detectors, can be
can be hazardous to health. For
achieved for a small investment.
example, attempting to put out an
The first rule after a fire is detected (either by smoke, heat, or other electrical fire with water can lead to
means) is to get the people out. Fires can spread very quickly, more electrocution. In the heat of the
quickly than many people realize, and toxic gases are produced as moment, this simple thing can be
well as heat and smoke. People are the most important asset and are forgotten. Also, improper use of a
fire extinguisher can spread a blaze
difficult for an organization to replace, as well as having high intrin-
rather than put it out. In addition,
sic value. Only after all personnel are safe and accounted for is it
fires usually create toxic gases,
appropriate to attempt to put out a fire, and then it should be done especially fires involving plastics.
only after calling the fire department. Smoke inhalation of such toxic
Many fire extinguishing systems are available. Portable fire extinguish- compounds kills more people than
ers always should be available near any electrical equipment, including flame in many fires, sometimes
including people who stay too long
computers. These extinguishers must be examined periodically to
trying to put out a fire.
ensure they remain useful. For computers, type ABC extinguishers are
appropriate because combustible solids (class A), combustible liquids
(class B), and electricity (class C) all are common in computer room
fires. Get the people out first; then an attempt can be made to extin-
guish a small fire using portable or other extinguishers. The primary
purpose of extinguishers is to ensure that an escape route can be
cleared; the fire department always should be called and the people
evacuated before any extinguishing attempts are undertaken.
Fixed systems include carbon dioxide extinguishers, with or without
directing hoses. The entire computer room can be flooded with car-
bon dioxide to put out most fires by depriving them of oxygen to
support combustion; with hoses, the gas can be directed at specific
fire sites. Such systems are expensive and should not be automatic:
They deprive people (such as computer operators) of oxygen, as well
as depriving fires of oxygen. Installation of such systems is a job for
professionals.
A fire-protection system that is safer for people and that extinguishes fires
without irreparably damaging computer equipment uses Halon 1301
gas. This gas has the convenient property of smothering fires without
being quickly fatal to people, so automatic systems can kill the fire while
allowing people enough time to get out. Halon systems are installations
requiring specialized expertise, so professionals should be engaged.
12 078972801x CH10 10/21/02 3:40 PM Page 552
Halon systems also are expensive, as are tests of the system (a refill can
cost more than $1,000). Such elaborate fire systems probably are appro-
priate only in mainframe installations. (Halon 1301 and Halon 1211 are
trademarks of chemical compounds, owned by Great Lakes Chemical
Company Inc. The details of composition are not relevant in this text
and are not public information in any case. Halon 1301 is not self-
pressurizing and requires expensive pressure systems for a fire installation;
Halon 1211 is self-pressurizing and can be put into a portable extin-
guisher, either alone or mixed with Halon 1211. Such portable extin-
guishers have been available as normal retail items; although this is no
longer true they might still be in use.)
With the signing of the Montreal protocol in 1987, Canada, the
United States, the European Community, and 23 other nations
agreed to control the production and consumption of certain chloro-
fluorocarbon compounds (CFCs), including the Halon group. These
ozone-depleting substances include some refrigerants and, relevant to
this discussion, Halon 1211, Halon 1301, and Halon 2402. These
Halons are used primarily in fire-extinguishing applications. The
CFC compounds are implicated in the depletion of the ozone layer,
a potentially serious global environmental problem.
The timetable for implementation of the Montreal protocols was
advanced in 1992, and chlorofluorocarbon fire systems might not be
a viable alternative for new, or even existing, installations. Halon
systems are still used in special circumstances, but under severe
regulation.
Regulations regarding the use of Halon vary, but typically include
these recommendations:
á When planning fire protection for new installations, all alter-
native options (carbon dioxide, water, and so on) should be
fully explored before deciding to use Halon.
á When Halon is used, full-discharge testing should be avoided
in favor of alternative test procedures.
(It also shrinks: Punched cards and 5 1/4'' disks are no longer com-
mon.) Different media have different characteristics and different
capacities. All media contain data, and the data on the media is just
as valuable and just as sensitive in movable form as when being used
by the computer. Removable media, by definition, also are at least
somewhat portable. This presents a security and control risk. Usually
it is recommended that there be a tape/media library for storage
purposes.
Depending on the installation, the media library can range in size
from a small cabinet to a rather large warehouse-size space.
Whatever the size, the media storage area should be
á Restricted—Storage areas need to be at least as carefully con-
trolled as the area in which the data is used. Many computers
are not especially portable, but removable media is. The equiv-
alent of several books can fit onto CD that will fit easily into a
shirt pocket. The equivalent of a large book will fit onto a
memory stick, which can also be easily slipped into a pocket.
(You might be familiar with memory sticks, which are used in
digital cameras to store pictures and are about half the size of a
stick of chewing gum.) If the book contains sensitive informa-
tion, such as the corporate budget, careful protection is need-
ed. All the access controls recommended for other restricted
areas also are necessary in the media storage area.
á Controlled—Someone should have specific responsibility for
keeping records of media entering the library and leaving it,
and for conducting frequent inventory of the contents. Any
discrepancies should be followed up immediately.
á Locked—This is an elementary issue, but it is frequently
ignored. Some form of an automatic locking mechanism is
preferable, so that carelessness cannot lead to a large exposure.
á Protected from fire—Media contain, as an acquired value,
information that might be expensive or impossible to replace,
and that might be valuable to others as well. The storage area
should be separated from the rest of the computer resource
and should have its own independent fire protection. This
could be elaborate in a large installation or fairly simple in a
small shop.
12 078972801x CH10 10/21/02 3:40 PM Page 555
WASTE DISPOSAL
Know the most common issues related to disposal or
erasure of data.
One of the classic computer crimes reported in the literature
involved a person gaining accounts and passwords to get into a com-
puter system, and instructions on how to compromise it, by going
through a telephone company’s waste bins. (This often is called
dumpster diving.) Similar incidents have involved statistical and taxa-
tion data. The security and control principle here is that discarded
listings, media, and anything else containing data or information
remain sensitive (if they were in the first place). Control on disposal
is necessary.
12 078972801x CH10 10/21/02 3:40 PM Page 557
Note that the cleaning staff must be cleared or kept out of areas con-
taining sensitive assets.
Some points should be kept in mind here:
á Most personal computer operating systems do not actually
erase data files when the operator says “erase” or “delete”; they
set a flag indicating the file is “deleted.” The flag can be reset,
and fragments of data might still exist. (Some of application
software also does not necessarily destroy data when you delete
it: For example, many database products don’t delete items
until the database is packed.) In fact, programs exist specifically
for the purpose of recovering deleted files. Degaussing is need-
ed to ensure the erasure (a degausser generates a strong, vary-
ing magnetic field that randomizes the magnetic bits used to
store data).
Note that formatting a disk on a personal computer might not
destroy data (this depends on the operating system and hard-
ware manufacturer). Overwriting, degaussing, or physical
destruction is necessary.
á Data stored on most commonly available optical media (such
as CD-ROM and DVD) cannot be erased; the medium must
be destroyed thoroughly. However, read/write optical systems
are becoming common. Read/write optical media (CD-RW
and some DVD) are erasable. WORM (write once, read
many) systems, including CD-R and DVD, act like read/write
but actually simply use the enormous capacity of an optical
disc to store multiple copies of data, one for each version.
WORM has advantages where a record of historical changes is
necessary; the key here is that the data cannot be erased.
12 078972801x CH10 10/21/02 3:40 PM Page 558
(This works better with black coffee; you need to use soap and water
to remove sugar and other sticky stuff.) To dispose of an optical disc,
physical destruction is necessary—breaking it into pieces or melting
it works best.
When disposing of classified data, more stringent rules might be
necessary. File wipe programs exist that actually overwrite media,
rather than merely deleting the contents or directory entry.
Although some file wipe software uses particular patterns of bits to
ensure the maximum chance of overwriting everything, there are
issues of physical play in read/write heads and of remanance in the
media. Advances in technology have made it possible to read nearly
any magnetic pattern that ever was imposed onto magnetic media;
even a file wipe might not be sufficient for classified material.
NOTE
Physical destruction of media might be required. Offsite Storage Data (or whatever)
stored offsite (somewhere outside the
In the special case of nonremovable media that need repairs or are normal computer center) must have a
being discarded, consideration must be given to the risk of advanced level of security and control at least
techniques being used to read the waste. (Of course, advanced tech- as good as the computer center has.
niques are unnecessary if a disk being repaired has not been wiped, Extremely tight security in the comput-
as noted previously.) It is common in high-sensitivity situations to er center does little good if backup
destroy any media, removable or not, that must leave a high-security copies of the same data and informa-
area for any reason. tion are unsupervised in a warehouse
without adequate fire or access con-
More information about dealing with classified material is found in trol. The same considerations apply
the “Government of Canada Industrial Security Manual,” and in while media are being transported.
Department of Defense Guide DOD 5220.22-M on sanitizing media.
TABLE 10.2
SENSORS AND OTHER DETECTION MECHANISMS
Sensor Description Issues
Motion detector Can use infrared light beams, lasers at any Can be installed to detect an approach to a perimeter or
wavelength, microwaves, or other means to detect presence inside a controlled area. Can be very inexpensive
motion in an area where there should not be or more expensive and very sophisticated. More sophisticated
motion. Sensor units that broadcast a signal can installations require power to operate a central processor; less
be about the size of a pack of cigarettes, and the sophisticated installations usually run on batteries (which, of
receivers can be small. course, must be checked and replaced periodically). Requires
some sort of response system to determine what caused the
sensor to trigger. Normally installed out of sight, although
light-based units require a line-of-sight to the area to be moni-
tored. Susceptible to triggering from natural events such as
wind.
Heat detector Measures increased temperature from a heat Use and considerations as for motion detectors. Does not
source—fire, human or animal body, or other source. require line-of-sight and does not react to wind or most
Sensor unit can be very small (millimeters) if at the natural events. Can also detect fires, sometimes before there
end of something like a lens attached to an optical is an actual flame. Can react to small animals if sensitivity
fiber. is set high.
Vibration sensor Measures vibrations caused by events such as glass Use and considerations as for motion detectors. Often visible
breakage, collision of a vehicle with a wall, footsteps, in the form of tape on windows. Can be a very sophisticated
or other noises. Can react to noise, broken foil on a system such as a laser measuring displacement.It’s susceptible
window, and magnetic or mechanical switches. to triggering from wind and other natural phenomena.
Capacitance detectors Measure the change in capacitance caused when an Usually installed on things like fences. Susceptible to false
animal or a human approaches the sensor. alarms from wild animals(including raccoons anddogs even in
cities).Sensor units do not haveto be close to the pointof inter-
est.
Magnetic sensors Measure changes in magnetic fields caused by the Typically react to conductors, including innocuous items
presence of a conductor. Well-known examples such as keys and coins. Will not detect things such as plastic
include gates and wands in airport security screening. or nylon knives or explosives.
Sniffers The best of this class of sensor is a trained dog. Response time of machine-based sensors can be slow. Dogs
Canaries are used in some situations as well. and machines react only to those things they have been
Technological solutions include some type of device trained or built to detect. Animals are susceptible to fatigue
that collects air and performs tests to determine fairly quickly and require trained handlers and controlled
the presence of items of interest. This form of environments. Nonliving sensors do not fatigue and can be
technology is fairly expensive and must be very useful for applications where response time is not
considered a developing technology. critical.
12 078972801x CH10 10/21/02 3:40 PM Page 561
Cameras Can range from simple CCD (charge-coupled device, Requires monitoring or some form of recording. More
a small and low-power-drain type of imaging chip) sophisticated systems require power; CCDs and similar
units providing a video feed to a central monitoring devices need only small batteries.
station to pointable cameras. Can be sensitive to
infrared, ultraviolet, or other invisible frequencies. Cameras are so small and inexpensive that they are
Some variations can see in complete darkness, usually becoming ubiquitous; people are rarely out of view of a
by infrared. Individual units can be small, and there camera in many workplaces and public spaces. There are
might be nothing other than a lens (perhaps 1mm in significant issues of privacy in public areas.
diameter) attached to an optical fiber, with the
actual sensor remotely located. Monitoring can be a problem because most of the time it is a
very boring job.
IN THE FIELD
continues
12 078972801x CH10 10/21/02 3:40 PM Page 562
continued
The tactic of putting power poles in the back of a truck and backing
it at a high speed into a wall has been mentioned (as has the
counter of minimizing long, straight lanes and roadways). Similarly,
chain link fences can be penetrated with minimal damage to vehi-
cles but can be strengthened substantially simply by attaching a
cable to back up the links.
Typical times and other considerations vary greatly among these
lists, frequently for the same attack using the same tools. Also, the
introduction of weapons into a situation materially changes things.
Nevertheless, such lists can serve as a guide to physical security
measures related to site construction and selection. Perhaps the
single most important message from the lists is this:
Multiple rings of protection, with different preventive measures
requiring different tools for penetration at each barrier, can slow an
attack significantly, allowing response teams to arrive.
C A S E S T U DY : B L OW I N G U P S E C U R I T Y —T H E C A S E OF THE BALLOON
ESSENCE OF THE CASE SCENARIO
Our systems admin was working late and left We can learn a great deal about physical security
the data center to visit the food machines in by studying the vulnerabilities discovered by oth-
the cafeteria. Upon his return, he found him- ers. Often these penetrations are the result of
self locked out of the center. He had left his real-world attacks, but sometimes they result
access card within the data center. Like many from accidental discovery. In this case, the perpe-
facilities, his center required the insertion of a trator was the systems administrator. He meant
security card in order to enter. A valid card no harm; he merely had left his access badge
triggers a release mechanism and the door within the data center and needed to return. It
opens. Anyone with a card can enter. To leave was after hours, and no one else was around.
this particular system, however, is easier. This story comes from a discussion found recent-
Motion detectors on the inside of the data ly on the Internet. The names of the participants
center detect someone moving toward the exit and the company are not revealed, in case the
and open the doors. vulnerability has not been addressed.
12 078972801x CH10 10/21/02 3:40 PM Page 563
C A S E S T U DY : B L OW I N G U P S E C U R I T Y —T H E C A S E OF THE BALLOON
Our resourceful admin recalled that earlier in A N A LY S I S
the day a birthday had been celebrated in the
Even though this is a humorous account and no
reception area. He returned to the area and
harm was done, it points out the need to review
found the penetration tool he desired—a
physical security devices and look for even the
balloon that hadn’t been blown up.
most bizarre vulnerabilities we might find. If the
He returned to the data center and laid down doors had been flush with the floor, instead of
facing the entrance doors. He pushed the bal- providing a handy gap, the penetration would not
loon under the door, leaving the mouth of the have occurred. If the motion detectors were
balloon on his side of the door. Holding the tuned (if capable) to respond to a range of
neck of the balloon between thumb and fore- motion not within the purview of a rapidly decom-
finger, and placing his lips over the mouth of pressing balloon, the penetration would not have
the balloon, he began to blow. As he blew, the happened. If, of course, motion detection was
balloon grew in size—on the inside of the data not used to open the doors from within, the pen-
center. You can imagine the rest. He released etration would not have occurred.
the balloon and jumped up. The balloon flew
around the immediate inside of the data cen-
ter and triggered the motion detector. The
doors opened, and our administrator was able
to enter the facility and continue his work.
CHAPTER SUMMARY
Physical security refers to the provision of a safe environment for
KEY TERMS
information processing activities and to the use of the environment
to control the behavior of personnel. This chapter has addressed • Area control
these issues by discussing your need to • Clearing
á Know the elements involved in choosing, designing, and con- • Core dump
figuring a secure site.
• Degauss
á Know how to secure a facility against unauthorized access and
theft of equipment and information. • Degausser
A P P LY Y O U R K N O W L E D G E
Exercises
10.1 The Airports Council International Airports Council International shows (ACI,
Exercise www.airports.org/traffic/passengers/html) that the
30 busiest airports reported the following preliminary
The purpose of this exercise is to practice some of the data for passenger traffic in 2001:
concepts you learned in this chapter. Note the following:
continues
12 078972801x CH10 10/21/02 3:40 PM Page 566
A P P LY Y O U R K N O W L E D G E
continued
Rank Airport Number of passengers
25 SINGAPORE, SG (SIN) 28,093,759
26 TORONTO, OT, CA (YYZ) 28,042,692
27 SEATTLE/TACOMA, WA (SEA) 27,036,074
28 ST LOUIS, MO (STL) 26,719,022
29 ROME, IT (FCO) 25,563,927
30 TOKYO, JP (NRT) 25,379,370
1,166,924,477
When answering the following, concentrate on major 3. The best known device to screen baggage for explo-
issues. Do not try to incorporate all possible variables sives is a trained dog and handler. Using the same
such as extra personnel to cover sick leave and vacation assumptions as in question 1, and further assuming
time. The rounding of calculations is appropriate (for that a dog can work for 2 hours at a time (during
example, use 31,000,000 rather than 31,182,361). which 4,000 bags can be checked) and then needs
Show your calculations and rounding. a break of 2 hours, how many dog teams will the
Atlanta airport need to ensure that all passengers
Estimated Time: 30 minutes
can leave on the same day they enter? Assume each
1. Assume that each passenger checks one bag and team works a normal 8-hour shift.
that the peak passenger load in a day is five times
4. Discuss the use of biometrics for passenger iden-
the average load (Thanksgiving and Christmas,
tification. Include a discussion of error rates and
for example). Further assume that baggage
mechanisms to handle errors.
screening machines that search for explosives and
other contraband can scan 1,000 bags per hour 5. Evaluate the answers to this exercise:
per machine, and that these machines have a
Answer to question 1: 76 million bags/year
mean time between failures (MTBF) of 8,568
(rounded) times 5 for peak load yields an average
hours of continuous operation (not quite 1 year)
of 208,219 bags/day, 1.041 million bags on
and are out of service for repair for 1 week. How
peak days, and an average of 43,379 bags/hour.
many baggage-screening machines are needed for
Thus, 44 machines are needed. Each machine
the Atlanta airport to ensure that all passengers
will lose 1 week per year (44 weeks total), so a
can leave on the same day they enter?
minimum of one machine (44/52) is needed to
2. Each machine costs $1.4 million; what is the cap- cover expected failures. The total number of
ital cost Atlanta can expect for screening baggage-screening machines is therefore 45.
machines?
12 078972801x CH10 10/21/02 3:40 PM Page 567
A P P LY Y O U R K N O W L E D G E
This neglects that enough spare machines must Answer to question 4: This is an open-ended
be available at the right times in case several essay. Note the need for the following:
machines die simultaneously or things grind to a
• Very accurate biometric sensors
halt (probably at the peak demand time), and
this makes no allowance for longer (or shorter) • Staff to conduct in-depth examination of pas-
repair times. It also assumes an even distribution sengers flagged as “suspicious”
of machine use by time-of-day. (For comparison, • Time taken to recognize passengers and
fewer than 200 such machines were operational search a database
in the U.S. in late 2001. It would require some
700 such machines just to do 100% check-in • Delay times in line-ups and such
baggage screening at only the 30 most-active air- • Costs
ports. And there have been reports of much high-
er failure rates than assumed here, up to 21% • The need for a proper risk assessment to
down time and weeks to repair.) guide selection
Answer to question 2: $63 million. This does Bonus points for mentioning the relationship
not include spare part inventories, alterations to between false positive and false negative and for
facilities to support baggage flow through those mentioning privacy problems. There is enough
45 machines (and the machines, which weigh information in the chapter and in the previous
around 9 tons each), time and cost to closely table to suggest that biometric systems for passen-
examine “potential problem” baggage flagged, ger identification probably are not feasible; how-
and so on. It also does not include costs for oper- ever, this should be guided by a risk assessment.
ators and response staff, maintenance for the bag-
gage conveyor systems, and so on. Credit yourself
correct for the multiplication by a number other
than 45, if it’s your output from question 1. Review Questions
Answer to question 3: 189 dog/handler teams. 1. What are the three principles of physical security?
(Dogs are twice as fast as machines but can work
2. Name the four classes of physical assets this chap-
only 50% of a shift, so you need the same 45
ter uses.
teams 24/7/365. Three shifts triples that.
Multiply by 7/5 to allow for 5-day work weeks.) 3. List the four main types of vulnerability.
This ignores sick and vacation time for both dogs 4. Vulnerabilities are further broken into
and handlers and assumes dogs can and will do ______________ and _________________.
this sort of thing every day indefinitely. (Dogs
won’t, and allowances for sick time and holiday 5. List four general methods for controlling theft.
time usually are around 10%–15%.) Also, fewer 6. Describe a simple way to control theft of
teams can be used if there is more than one dog computers.
per handler.
12 078972801x CH10 10/21/02 3:40 PM Page 568
A P P LY Y O U R K N O W L E D G E
7. Some kinds of computer components, such as Exam Questions
memory chips, are small, portable, and worth
more than their weight in gold. How can you 1. Which of the following is probably the most
control theft of such things? common physical security issue affecting a work-
place?
8. Assuming you can choose a location, what is a
good way to minimize vulnerability to crime, A. Theft
riots, and demonstrations? B. Destruction of company property due to
9. List at least two concerns that impact the deci- floods
sion to use biometrics in access control. C. Terrorism
10. The three most common problems related to D. Accidental loss
power supplies for computers are _________,
_________, and ____________. 2. What is a mantrap?
11. List three types of exposure to water-related A. A device that can be deployed on the grounds
problems. of the facility and used to catch an intruder
12. Clarify the difference between fire protection and B. An entrance that permits only one person at a
fire prevention. time to pass, and that usually can be locked
to trap an intruder
13. List four desirable characteristics of media storage
area. C. A special intrusion detection device that rec-
ognizes when an unauthorized individual is in
14. What is remanance, and what is the relationship the data center
of remanance to erasing media?
D. In a honeypot, the part that traps the intruder
15. What is probably the biggest problem with and keeps him from accessing other areas of
installing sophisticated sensors in a perimeter the network
detection system?
3. Which two groups of people often are not con-
16. Describe how to perform a puff test. sidered in access control planning?
17. Various types of see-through devices can display A. Secretaries and salespeople
images of the contents of sealed parcels, baggage,
and so forth. However, security testing at airports B. Janitors and salespeople
that use such see-through devices consistently has C. Janitors and emergency response personnel
demonstrated poor results, with up to 50% of
D. Contractors and emergency response
contraband items missed (and sometimes much
personnel
higher). This might be because of an inherent
problem with such devices. What is this inherent
problem?
12 078972801x CH10 10/21/02 3:40 PM Page 569
A P P LY Y O U R K N O W L E D G E
4. What single provision covers most power supply 4. Vulnerabilities are further broken into deliberate
problems, and some contingency issues as well? and accidental. See the “Vulnerabilities” section
for more information.
A. UPS
5. Four ways to control theft are as follows: hire and
B. Generator
authorize trustworthy people; make honesty part
C. Using laptops of the corporate culture; motivate people well;
D. Degausser and minimize easy targets. See the
“Vulnerabilities” section for more information.
5. What is the single most important thing to do
after detecting a fire? 6. There are many simple ways to control theft of
computers. One way is to use a cable to attach
A. Evacuate people. the computer to something hard to move.
B. Call the insurance company. Another simple way is to provide good lighting
and visibility. See the “Vulnerabilities” section for
C. Call the fire department. more information.
D. Gather critical documents. 7. One easy way is to lock computer cases. See the
“Vulnerabilities” section for more information.
8. You can minimize vulnerability to crime, riot,
Answers to Review Questions and demonstrations by locating your facility near
police and fire protection facilities. Also, locate it
1. The three principles of physical security are as
away from obvious targets (this is becoming more
follows: Identify the assets you need to protect;
difficult, as obvious targets change with political
assess vulnerabilities and threats; and select coun-
shifts). See the “Selecting, Designing,
termeasures to contain the expected losses within
Constructing, and Maintaining a Secure Site”
an acceptable threshold of risk. See the
section for more information.
“Classifying Assets to Simplify Physical Security
Discussions” section for more information. 9. The general answer is that such decisions need to
be based on risk assessment results. At a more
2. The four major classes of assets are facility, sup-
specific level, the chapter mentions cost, safety,
port, physical components, and supplies and
reliability, and error rates. Other correct answers
materials. See the “Classifying Assets to Simplify
include psychological resistance, privacy issues,
Physical Security Discussions” section for more
and sanitation in some types of sensors. See the
information.
“Passive Controls” section for more information.
3. The four main types of vulnerability are destruc-
10. The three most common problems related to
tion; disclosure, removal, and interruption. See
power supplies for computers are brownouts,
the “Vulnerabilities” section for more informa-
spikes and surges, and static. See the “Power” sec-
tion.
tion for more information.
12 078972801x CH10 10/21/02 3:40 PM Page 570
A P P LY Y O U R K N O W L E D G E
11. Water-related problems include flood, leaky base- 16. Open the outlets that provide a supply of fire
ments, leaky roofs or drain pipes, snow loading, suppression gas, cover the openings with light-
hurricanes, sprinkler systems, and air condition- weight covers, and then blow air into the system.
ing. See the “Water Exposure Problems” section If everything is clear, the covers over the outlets
for more information. should lift or otherwise signify the free flow of
air. See the “Fire Prevention and Protection” sec-
12. Fire protection includes detection and minimiz-
tion for more information.
ing harm after a fire starts; fire prevention relates
to avoiding the occurrence of fire in the first 17. Interpreting images is difficult because many
place. See the “Fire Prevention and Protection” items look very different in different orientations.
section for more information. For example, a bottle looks like a rectangle from
one angle, but like a circle from an end view.
13. Four desirable characteristics of media storage
(Radiation issues can affect some devices but not
area are restricted, controlled, locked, and provid-
all, and not even all x-ray-based devices.
ed with fire prevention and protection. See the
Personnel training problems are also a problem
“Tape and Media Library Retention Policies” sec-
but are not limited to see-through scanners.) See
tion for more information.
the “Physical Intrusion Detection” section for
14. Remanance is the property of materials to retain more information.
an impression of magnetic fields after the field is
removed. Its relevance to data erasure is that mag-
netic materials might retain a record of the data
written even after normal degaussing and erasure Answers to Exam Questions
or overwriting. Technology that allows recovery 1. A. Probably the most common physical security
from rocks of a magnetic record of the Earth’s issue affecting a workplace is theft. See the
field reversals over hundreds of thousands of years “Vulnerabilities” section for more information.
might also allow recovery of data from erased,
degaussed, or overwritten magnetic media. See 2. B. A mantrap is an entrance that permits only
the “Waste Disposal” section for more informa- one person at a time to pass, and it usually can be
tion. locked to trap an intruder. See the “Selecting,
Designing, Constructing, and Maintaining a
15. Installing such equipment without appropriate Secure Site” section for more information.
threat and risk assessment, real-time monitoring
capability, or well-defined response procedures is 3. C. Two groups of people who often are not con-
probably the biggest problem with installing sidered in access control planning are janitors and
sophisticated sensors in perimeter detection sys- emergency response personnel. See the “Active
tems. See the “Physical Intrusion Detection” sec- Physical Access Controls” section for more infor-
tion for more information. mation.
12 078972801x CH10 10/21/02 3:40 PM Page 571
A P P LY Y O U R K N O W L E D G E
4. B. A UPS filters out surges and grounds static A degausser is a demagnetizer. Laptops cannot be
and can completely isolate the computer from replacements for all computing systems and even
line power. It also covers the contingency of loss though they include their own batteries, they are
of power. A generator replaces power but subject to damage from spikes. See the
does not deal with the surges and spikes issue. “Minimizing Power Problems” section for more
information.
5. A. Evacuate the personnel first. See the “Fire
Prevention and Protection” section for more
information.
12 078972801x CH10 10/21/02 3:40 PM Page 572
A P P LY Y O U R K N O W L E D G E
1. Bruschweiler, Wallace S. Sr., “Computers as 9. Jacobson, Robert V., et al. “Guidelines for
Targets of Transnational Terrorism.” In Automatic Data Processing Physical Security
Computer Security, edited by J. B. Grimson and Risk Management.” Federal Information
and H. J. Kugler. Elsevier Science Publishers, Processing Standards Publication 31. National
1985. Bureau of Standards, 1974.
2. “Case Histories in Computer Security.” 10. Lobel, J. Foiling the System Breakers: Computer
Computer Security. No. 53, July/August 1983. Security and Access Control. New York:
McGraw-Hill, 1986.
3. Disaster Planning for Government of Alberta
Records. Records Management Branch, Alberta 11. Parker, Donn B. Computer Security
Public Works Supply and Services. 10442 - 169 Management. Reston, Virginia: Reston
Street, Edmonton, Alberta T5P 3X6, 1987. Publishing Company, Inc., 1981.
4. “EDP Threat Assessments: Concepts and 12. Parker, Donn B. Fighting Computer Crime.
Planning Guide.” RCMP Security Information New York: Charles Scribner and Sons, 1983.
Publications # 2. January 1982.
13. Personal Computer Security Considerations
5. Emergency Preparedness Canada. Guide to the (NCSC-WA-002-85). National Computer
Preservation of Essential Records. EPC 12/87, Security Center. Ft. George G. Meade,
December 1987. Maryland: December 1985.
6. Fites, Philip. E., P. Martin, J. Kratz, and Alan 14. “Small Computer Systems Security,” and
F. Brebner. Control and Security of Computer “Small Systems Questionnaire.” In EDP
Information Systems. New York: W. H. Security Bulletin, RCMP “T” Directorate, Vol.
Freeman/Computer Science Press, 1989. 12 No. 1. July 1987. (The questionnaire is not
copyrighted and may be reproduced for use; it
7. Gallegos, Frederick, Dana R. (Rick)
is also in French and English.)
Richardson, and A. Faye Borthick. Audit and
Control of Information Systems. Chicago: 15. “Target Hardening.” RCMP Security
Southwestern Publishing Company, 1987. Information Publications # 3. September 1983.
8. “Good Security Practices for Personal
Computers.” IBM Data Security Support
Programs, First Edition. 1984.
13 078972801x Part2 10/21/02 3:42 PM Page 573
II
P A R T
FINAL REVIEW
Fast Facts
Practice Exam
13 078972801x Part2 10/21/02 3:42 PM Page 574
14 078972801x FFacts 10/21/02 3:44 PM Page 575
The big difference, which seems confusing at first, is Remote Authentication Access
that both of the rules are the opposite of the BLP
model. Control
The Liptner model applies lattices and the principals of RADIUS and TACACS+ are typically used inter-
integrity and confidentiality to non-military examples. changeably for remote access controls.
Essentially, Liptner changed the labels from terms such
as confidential and secret to system programmers, produc-
tion code, and so on. Centralized Versus
The non-interference models deal with examining the Decentralized Access Control
input to and output from a system and seeing whether
With centralized control, a single authority or system is
you can infer any information that you should not have
responsible for access control. The biggest problem
access to.
with this is that a single point of failure exists that
could also become a bottleneck for an organization.
With decentralized control, each individual or depart-
Identification and ment is responsible for its own access control.
Authentication Techniques
Identification is a statement of who you are, such as a
user ID or logon name. Authentication is proving you Methods of Attack
are who you say you are. Several techniques are used by Types of attacks include
systems to provide authentication:
á Brute-force—With a brute-force attack, an
á Passwords intruder tries all possible combinations until she
á One-time passwords guesses the right one. Brute-force attacks are most
popular when cracking passwords.
á Challenge response
á Denial-of-service—These involve preventing
á Biometrics others from gaining access.
14 078972801x FFacts 10/21/02 3:44 PM Page 578
á Spoofing—An attacker acquires the one-time pass- Security assessments usually include a penetration test
word device (or other appropriate access control but are much more thorough. You are typically given
process) for a given user and acts like that user (or access to all the key systems within a company to evalu-
spoofs that user). The system then gives her access ate the current level of security. With security assess-
because the system thinks she is a legitimate user ments, you are not trying to prove that you can get in;
and does not know that she is really an attacker. you are trying to paint a picture of the current threats
that exist to the organization and what needs to be
á Sniffing—The process of capturing the packets
done to protect against them.
traveling across the wire and either reading plain-
text passwords or capturing credentials and
cracking them.
DOMAIN 2, “NETWORK
SECURITY AND
Monitoring TELECOMMUNICATIONS”
The field of study dealing with monitoring networks
and hosts and looking for attacks is known as intrusion
detection. The critical thing to remember with intrusion
detection is that you are passively monitoring a net- ISO/OSI Seven-Layer Model
work or hosts looking for signs of an attack. The The ISO/OSI seven-layer model defines the fundamen-
emphasis is on detection, not prevention. tal aspects of how all network communication occurs.
Signature or pattern matching IDS maintains a database The OSI model exists to enable the user to understand
of known attack signatures. When it looks at traffic or the totality of a very complex system of communica-
at log files, it tries to find a match for each of these sig- tions by breaking the overall transmission of data into
natures. If it finds a match, it sends an alert that the seven easier-to-define layers:
system is being attacked. á Application layer—Primarily responsible for
The concept behind anomaly detection is to determine interfacing with the user. This is the application
what is normal traffic for a company, and anything that interface the user experiences. (POP3, NNTP)
falls outside that norm is deemed an attack and is dropped. á Presentation layer—Primarily responsible for
translating the data from something the user
expects to something the network expects.
Penetration Testing and (WAV, MIDI, JPEG, SMB)
System Assessment á Session layer—Primarily responsible for dialog
Penetration testing is sometimes contrasted or com- control between systems and applications.
pared with security assessments. The main difference (NSF, RPC)
between the two has to do with the scope and amount á Transport layer—Primarily responsible for han-
of initial information one is given. Typically, with a dling end-to-end data transport services.
penetration test (or pen test), the goal is to see how (TCP, UDP)
much you can find out about the company, including
possible ways you can break in.
14 078972801x FFacts 10/21/02 3:44 PM Page 579
á Network layer—Primarily responsible for logical The maximum number of nodes per segment (between
addressing. (IP, IPX) repeaters) on a 10BASE-2 segment is 30. The maxi-
mum length of a segment is 185 meters. You can actu-
á Data Link layer—Primarily responsible for phys-
ally determine the maximum cable length by the name
ical addressing. (IEEE 802.2, 802.3, switches,
10BASE-2. 10 stands for 10Mbps; BASE stands for
bridges)
baseband; and 2 stands for 200 meters (okay, so it is a
á Physical layer—Primarily responsible for little short).
physical delivery and specifications.
10BASE-5 supports a maximum of 1,024 hosts per
segment. The maximum segment length for 10BASE-5
is 500m.
Network Cabling 10BASE-2 and 10BASE-5 adhere to the 5-4-3 rule.
This section looks at cable specifications for coax, UTP, This simply means that you can have a maximum of
fiber, and wireless. five segments connected via four repeaters, but only
three segments can have hosts on them. The two seg-
ments that cannot support hosts are called interrepeater
Coax links (IRL).
The following cable specifications exist for coax cable: A time domain reflectometer (TDR) can be used on
á RG-58 /U—Solid copper core (0.66mm or one end of the cable to give an approximate distance
0.695mm), 53.5 ohms. within a few feet or so to the break in the wire.
á Multicast—The packet is addressed to multiple One major difference, however, is that a bridge
hosts via the use of group membership addresses. can run only one instance of spanning tree,
whereas switches can have multiple instances.
Spanning tree is a protocol, defined in the IEEE
Ethernet 802.1d standard, that is responsible for prevent-
Ethernet is the single most predominant technology in ing loops from occurring on a bridged/switched
use today, with speeds ranging from 10Mbps to network.
10Gbps. Ethernet uses CSMA/CD, which helps the á Virtual LANs (VLANs)—The creation of logi-
devices on the network share the bandwidth while cally segmented networks within a single switch
ensuring that two devices cannot use the bandwidth at or within a single switch fabric. A switch fabric is
the same time. a group of switches that are physically connected
to each other.
Ring Topology á Routers (Network layer)—These can further
The most predominant method of transmitting data on optimize network traffic by using the logical
a ring topology is through the use of something called addressing information available from the
token passing. The token is simply a packet to which Network layer. Routers are considered “network
data is appended for transmission. As a result, if a sys- aware,” which means routers can differentiate
tem wants to transmit, it must have the token so that it between different networks.
can append the data to the token and transmit it.
Firewalls
Network Devices Firewalls are designed to prevent unauthorized traffic
Following are network devices: from entering a network. They are typically deployed
á Hubs and repeaters (Physical layer)—The as a perimeter security mechanism to screen Internet
primary functions of a hub (repeater) are to traffic attempting to enter the network. The following
receive a signal, amplify the signal, and repeat the are the types of firewalls:
signal out all ports. á Packet filtering firewalls—Function by compar-
á Switches and bridges (Data Link layer)— ing received traffic against a ruleset that defines
Switches read at least part of the data and what traffic is permitted and what traffic is
attempt to determine to which port the destina- denied
tion host is connected. If the switch can deter- á Application filtering firewalls—Function by
mine the destination port, it sends the signal only reading the entire packet up to the Application
on the destination port. A Layer 3 switch is sim- layer before making a filtering decision
ply a hybrid device that combines Layer 2 and
Layer 3 functionality, allowing the switch to for- á Stateful inspection firewalls—Track the net-
ward frames when possible and route packets work connection state and then use it in deter-
when needed. Bridges are similar to switches. mining what traffic should be allowed to pass
back through the firewall
14 078972801x FFacts 10/21/02 3:44 PM Page 582
á A VPN is simply the use of a “tunnel,” or secure á Internet layer—Maps loosely to the Network
channel, across the Internet or other public net- layer of the OSI model and provides for logical
work. The data within the tunnel is encrypted, addressing and routing of IP datagrams on the
thus providing security and integrity of the data network. (IP, ICMP, ARP).
against outside users.
á Network layer—Maps loosely to the Data Link
á The protocols used in VPN are Point to Point and Physical layers of the OSI model. The
Tunneling Protocol (PPTP), Internet Protocol Network layer is primarily responsible for the
Security (IPSec), and Layer 2 Tunneling Protocol physical delivery of data on the network.
(L2TP).
á Remote Authentication Dial-In User Server
(RADIUS) is a User Datagram Protocol-based Common Network Attacks and
de-facto industry standard for providing remote
access authentication via a client/server model. Countermeasures
á Similar in function to RADIUS, Terminal Access Several common network attacks are
Controller Access Control Service (TACACS+) á Social engineering
differentiates itself by separating the authentica-
tion and authorization capabilities, as well as by á Brute-force
using TCP for connectivity. As a result, á Non-business use of systems
TACACS+ is generally regarded as being more
reliable than RADIUS. á Network sniffing, dumpster diving, and keylogging
á Denial-of-service
á Spoofing, Trojans, viruses and worms, and
TCP/IP backdoors
RAID 0 provides no fault tolerance. If one disk á Differential backup—A differential backup
fails, the data on all disks is lost. backs up files that have changed since the last full
á RAID 1—Also called mirroring, it duplicates the backup.
data on one disk to another disk.
á RAID 2—Uses multiple disks and parity infor-
mation. Parity keeps track of whether data has DOMAIN 3, “SECURITY
been lost or overwritten by use of a parity bit.
á RAID 3–4—RAID 3 performs byte-level strip-
MANAGEMENT AND
ing, and RAID 4 performs block-level striping PRACTICES”
across multiple drives. Parity information is
stored on a specific parity drive.
á RAID 5—Stripes data and parity across all drives CIA Triad
using interleave parity for data re-creation.
Because reads and writes can be performed con- Following describes the CIA Triad (confidentiality,
currently, RAID 5 offers a performance increase integrity, availability):
over RAID 1. á Confidentiality—Determines the secrecy of the
information asset. The level of confidentiality
determines the level of availability that is con-
Clustering trolled through various access control mechanisms.
In a data clustering scenario, the administrator config-
á Integrity—Provides the assurance that the data is
ures two servers as mirrors of each other, both sharing
accurate and reliable.
access to a common storage system. If one of the
servers fails, the services running on that server can be á Availability—The ability of the users to access an
transferred to the backup server. information asset.
Network services clustering is used to improve system
performance by distributing network requests among
multiple servers that typically have the same Privacy
functionality.
Privacy relates to all elements of the CIA Triad. It consid-
ers which information can be shared with others (confi-
Backup dentiality), how that information can be accessed safely
Backup methods include (integrity), and how it can be accessed (availability).
á Full backup—A full backup saves every file,
every time.
Identification and
á Incremental backup—Only backs up the data
that has been changed or added recently. Authentication
Identification provides the resource with some type of
identifier of who is trying to gain access.
14 078972801x FFacts 10/21/02 3:44 PM Page 586
Authentication is proving you are who you say you are. The process of quantitative risk analysis consists of sev-
The following are some things used to do so: eral steps, including identifying the assets, assigning
value to them, identifying threats and risks, and deter-
á What the entities know, such as a personal identi-
mining how much money would be lost if the threat
fication number (PIN) or password
became reality. Potential monetary loss can be
á What the entities have, such as an access card, a calculated using the following formulas:
smart card, or a token generator
á Single-loss expectancy (SLE) is the amount of the
á Who or what the entity is, which is usually iden- potential loss for a specific threat.
tified through biometrics
á Estimate annual frequency of occurrence or
exposure factor (EF).
á Risk analysis is based on the loss over the course
Auditing of a year. The annualized rate of occurrence (ARO)
Systems and security administrators can use the audit is the ratio of the estimated possibility that the
records to threat will take place in a 1-year time frame. The
ARO can be expressed as 0.0 (if the threat will
á Produce usage reports never occur) through 1.0 (if the threat will always
á Detect intrusions or attacks occur).
á Keep a record of system activity for performance á Determine the annualized loss expectancy (ALE).
tuning Do this with the following steps:
á Create evidence for disciplinary actions or law 1. The SLE is calculated by multiplying the
enforcement value of the asset by the EF:
SLE = asset value × EF
á Centrally controlled computing—In this sce- Additional Risks for Standalone PCs
nario, computers can exist in a widely distributed PCs are also subject to the risks to data that main-
fashion both within headquarters and at remote frames have. In addition, they are subject to the
offices. They are, however, configured, main- following risks:
tained, and controlled by a central authority.
á Virus
á Decentralized—Computing facilities exist
throughout the company. They might or might á Trojan
not be linked with each other. á Logic bomb
á Distributed—Computers are everywhere, and so
is the process of processing. Distributed comput-
ing does not preclude centralized control. Distributed Systems Issues
Distributed systems also can be subject to the previous
risks. In addition, the following risks are present:
7. Construct and test this prototype. that it has a better chance of achieving its goal if the cus-
tomer is willing to sacrifice both economy and quality.
8. Repeat steps 3–7 until the customer is satisfied
that the prototype meets the requirements.
9. Construct the system. Security Control Architecture
10. Thoroughly test the final system. Security control architecture consists of the following:
An additional model is the spiral model constructed á Process isolation—The capability to run differ-
like the waterfall model with the element of risk analy- ent processes and separate them from one another.
sis added. This model is credited to Barry Boehm, chief á Hardware segmentation—The isolation of soft-
engineer at TRW in 1988. In essence, four operations ware processes and data via the segmentation of
are repeated until the right design is created, which is hardware.
then put into production. The four operations are
á Memory protection—Virtual memory is divided
á Planning/review—Determine the objectives of into segments. Each process uses its own segment,
the system to be developed. and the system keeps its own internal processing
á Risk analysis, prototype—First, identify all separate from that of user mode processing (the
alternative solutions and perform a risk analysis. running of applications).
Resolve the risks and create the prototype. á Least privilege—Processes have no more privi-
á Engineering—Develop and verify the product leges than necessary to perform functions.
requirements. Validate the design. Do a detail á Separation of duties—It is possible to assign
design and validate it. Code a test product. privileges on the system so that related privileges
á Plan the next phase—Review for customer satis- are segregated—for example, backup and restore.
faction. Do requirements planning, development á Layering—A structured, hierarchical design of
planning, and integration planning, and create a system function. Layers communicate through
test plan. calls via defined interface.
á Security kernel—Hardware, firmware, and soft-
Rapid Application Development ware that implement a reference-monitor concept.
Rapid application development (RAD) recognizes that á Modes of operation—Different system uses are
the result of software development is a product that separated into privileged and unprivileged.
meets economic, reliability, and speed-of-development
á Accountability—With one user per account, you
goals. It seeks to develop a product that has 80% of what
must be able to identify the individual’s activity
is desired but is produced in 20% of the time normally
on a system.
required to meet 100% of the goals. A common saying
is that a RAD project has a strong chance of developing
the product in the timeframe desired if the company
is willing to sacrifice either economy or quality. And,
14 078972801x FFacts 10/21/02 3:44 PM Page 594
á Prototyping—A quick model of the program is • Something the person has, such as a token
made and viewed by users; then it’s remodeled • Something the person is, or biometrics
until it is approved. Then the working program is
made. Encryption is used by all three authentication methods.
Nonrepudiation is critical when it comes to digital sig-
natures. It deals with proving in a court of law that
Coding for Security someone was the originator. Nonrepudiation is a fea-
ture of asymmetric encryption that allows you to prove
Ways to improve software include that someone actually sent a message. It is equivalent to
á Eliminate buffer overflows. an actual signature.
Definitions
Many cryptographic discussions assume knowledge of
Asymmetric
these basic definitions: Asymmetric encryption is often called two-key encryp-
tion or public-key encryption. It involves two keys: a
á Plaintext—A message in its original form. public and a private key. The public key is given to
Remember that any type of message can be anyone who wants it, and the private key is kept secret
encrypted. So, even though the word has text in by the user. Anything that is encrypted with one key
its name, plaintext is really a generic term and can only be decrypted with the other key.
can refer to an executable, a zipped file, a word-
processor document, a spreadsheet, or any type of If asymmetric encryption is so powerful, why do you
information you would want to keep protected need symmetric encryption? The reason is speed. RSA
and secure. This is the data before anything has is the asymmetric algorithm of choice and is used in
been done to it. most implementations that utilize this type of
encryption.
á Ciphertext—A message after it has been en-
crypted.
á Encryption—The process of taking a plaintext
MACs
message and converting it to ciphertext. Message authentication codes (MACs) are used to ensure
the message has not changed in transit and therefore
á Decryption—The process of taking ciphertext protect it against integrity attacks.
and converting it back to a plaintext message.
The key thing with encryption and decryption is
this: If you take a plaintext message, convert it to Hash Function
ciphertext, and then decrypt it back to plaintext, A hash function is a one-way transformation that cannot
the plaintext, decrypted message must match the be reversed.
original plaintext message that was inputted into
the encryption algorithm.
Digital Signature
Digital signatures are used to ensure nonrepudiation.
Symmetric
Symmetric encryption is often called single-key or secret-
key encryption because a single key is used for both
encryption and decryption of the information.
14 078972801x FFacts 10/21/02 3:44 PM Page 596
Security Models
TABLE 3
Security models are attempts at organizing the manage- SECURITY MODELS FOR ACCESS CONTROL
ment of security in an environment. Other models,
Government
discussed in other chapters, are examined here for Name of Model Model Primary Directive
comparison.
Biba Yes Confidentiality
Bell-LaPadula Yes Confidentiality
Clark-Wilson Clark-Wilson Yes Integrity
The Clark-Wilson model emphasizes data integrity and
Access Control Lists No Attempts at both confiden-
does so for commercial activities. It uses software engi-
tiality and integrity but lim-
neering concepts such as abstract data types, separation ited to proper application
of privilege, allocation of least privilege, and nondiscre-
tionary access control. Clark-Wilson has three integrity
goals:
á Prevent unauthorized users from making modifi-
cations
Security Architecture
A security architecture is the sum of the components
á Prevent authorized users from making improper
used and the way they are put together to build securi-
modifications
ty functionality into a computer operating system,
á Maintain internal and external consistency device, or system.
14 078972801x FFacts 10/21/02 3:44 PM Page 598
Open System Versus Closed System á Security perimeter—The boundary of the TCB.
Table 4 compares open and closed systems. A security kernel and other security-realized func-
tions operate within this perimeter. A security
kernel is the implementation of the reference
TABLE 4 monitor concept.
AN OPEN SYSTEM VERSUS A CLOSED á Security policy enforcement—The policy set for
SYSTEM
the system must be operational for the system to
System Item Open Closed be operational. The security policy is always
User interface Standard Nonstandard followed.
User access to system Total Limited to a single applica- á Domain separation—The objects that a subject
tion or language can access become its domain. The user doesn’t
need to access the security kernel, for example, so
the domain of the TCB is separated from that of
the user.
Security Principles
Some security principles to understand are
á Trusted Computing Base (TCB)—The sum of
Security Modes
the security functions of the system. Security modes are indications of the currently operat-
ing function of a system. They are
á Execution domain—The OS system area is pro-
tected from tampering and accidental modifica- á Dedicated—No restrictions. All users can access
tion. Another layer, the user area, is set aside for all data. All users have clearance for all data on the
application programs. system and have signed nondisclosure agreements
for all information stored and processed. The users
á Layering—Processes do not do everything. have a valid need to know for all information.
Processes are layered, with each layer having a
specific job. á System high—All users have access approval and
clearance for all information on the system. Users
á Abstraction—Acceptable operations are charac- have clearance for all information. They have a
terized, not spelled out in detail. need to know for some of the information and
á Process isolation—Many processes can be run- have signed nondisclosure agreements that require
ning without interfering with each other. them not to share the information.
á Least privilege—A process has only the rights á Compartmented—Users have valid clearance for
and access it needs to run; only processes that most restricted information processed on the sys-
need complete privileges run in the kernel, and tem, formal access and nondisclosure for that
other processes call on these privileged processes information, and need to know for that informa-
only as needed. tion. Data is partitioned. Each area of data has
different requirements for access. Users of the sys-
á Resource access control—Access to resources is tem must meet the requirement for the area they
limited. wish to access.
14 078972801x FFacts 10/21/02 3:44 PM Page 599
á Multilevel secure (MLS)—Users have different á Canadian Criteria, 1993, Canadian Trusted
levels of clearance to different levels of informa- Computer Product Evaluation Criteria
tion (think Bell-LaPadula). Some do not have (CTCPEC), a combination of ITSEC and
valid personnel clearance for all information. All TCSEC
have valid need to know for that information to
á Federal Criteria, 1993 (draft Federal Criteria for
which they have access.
Information Technology Security); later merged
á Controlled mode—Multilevel access in which a into Common Criteria
more limited amount of trust is placed in the
hardware/software base of the system. This results
in more restrictions on classification levels and Orange Book
clearance levels. The certification emphasis of the Orange Book is confi-
á Limited access mode—Minimum user clearance dentiality. The concept of a secure, or trusted, system is
is not cleared, and maximum data sensitivity is divided into a series of classifications that range from
not classified by sensitivity. minimal protection to verified protection.
The Orange Book outlines the evaluation criteria and
gives an objective measure for acquisition. It divides
operating systems into four primary divisions around
Covert Channels three different concepts. The concepts are
A covert channel allows an object with legitimate access
á Ability to separate users and data
to information to transfer the information in a manner
that violates the system security policy. Two types of á Granularity of access control
covert channels exist—covert storage channels and
á Trust or overall assurance of the system
covert timing channels.
The primary divisions are
á D—Minimal protection
Information Security Standards
á C—Discretionary protection
Standards for information security exist at national and
international levels. The most commonly known and á B—Mandatory protection
followed are as follows:
á A—Verified protection
á Orange Book—Trusted Computer System
Evaluation Criteria (TSEC), 1985 Table 5 lists and describes the Orange book
classifications.
á UK Confidence Levels, 1989
á ITSEC (1991) Information Technology Security
Evaluation Criteria (from the German and
French Criteria, the Netherlands, and the United
Kingdom)
14 078972801x FFacts 10/21/02 3:44 PM Page 600
TABLE 5
O R A N G E B O O K C L A S S I F I C AT I O N
Class Title Description
D: Minimal protection: Have been evaluated but don’t meet standards for other classes
C: Discretionary protection: Need to know protection, accountability of subjects, accountability of actions, and audit
C1 Discretionary security protection Separation of users and data; enforces access limitations; users use data at the same
level of security
C2 Controlled access protection More granular; user is more individually accountable; logical procedures, auditing,
and resource isolation; security policy enforcement; accountability, assurance; con-
trols who can log in; access to resources is based on wishes of users; log of user
actions
B: Mandatory protection: Integration of sensitivity labels, labels used to enforce mandatory access rules, specification of TCB,
reference monitor concept implemented
B1 Labeled security protection Accurate labeling of exported information
B2 Structured protection Formal security model; discretionary and mandatory access control extended to all
subjects and objects; covert channels are addressed; TCB has protection-critical and
nonprotection-critical elements; trusted facility management (systems admins and
operator functions and configuration management control); system is relatively
resistant to penetration
B3 Security domains Reference monitor must mediate all access of subjects by objects and is tamper-
proof; unauthorized code is excluded; security policy enforcement; complexity
minimized; security administrator supported; audit expanded; and system recovery
required; system is highly resistant to tampering
A: Verified Protection
A1 Verified design Functionally equivalent to B3, but verification techniques are used against the
formal security policy; can give high degree of assurance; TCB is correctly
implemented
Common Criteria
TABLE 6 The “Arrangement on the Recognition of Common
ITSEC L E V E L S OF E VA L U AT I O N Criteria Certificates in the Field of IT Security” was
Level Description signed as a mutual recognition arrangement in 1998 by
EO Inadequate government organizations from the United States,
Canada, France, Germany, and the United Kingdom.
E1 Definition of security target and informal architecture
design exists. User/Admin documentation on TOE This international standard, known as Common
security exists. TOE is uniquely identified, and docu- Criteria, has the following as its objectives:
mentation exists that includes delivery, configuration,
startup, and operations. The evaluator tests the security á Ensure IT product evaluations are performed to
functions. Secure distribution methods are utilized. high and consistent standards.
E2 Informal, detailed design and test documentation are á Guarantee that evaluations contribute to the con-
produced. Separation of TOE into security enforcing
fidence in the security of the products.
and other components. Audit trail of startup and out-
put is required. Assessment includes configuration con- á Increase the availability of evaluated, security-
trol, developer’s security, and penetration testing for
enhanced IT products.
errors.
E3 Source code or hardware drawings must accompany the á Eliminate duplicate evaluation.
product, and a correspondence between design and
source code must be shown. Standard, recognized
á Continuously improve efficiency and cost-
implementation languages are used. Retesting is effectiveness of security evaluations and
required after correction for errors. certification/validation process for IT products
E4 Formal security model. Semiformal specification for and protection profiles.
security enforcing functions, architecture, and detailed
design. Sufficient testing. TOE and tools are under con-
figuration control. Changes are audited, and compiler
options are documented. TOE retains security after a
restart from failure.
14 078972801x FFacts 10/21/02 3:44 PM Page 602
TABLE 7
A C O M PA R I S O N OF THE O R A N G E B O O K , ITSEC, AND COMMON CRITERIA
Common Criteria
Orange Book TCSEC ITSEC Evaluation Assurance Level
D Minimal protection E0 EAL0
EAL1
C1 Discretionary security protection (discretionary access control, F1+E1 EAL2
identification and authentication, system architecture, system integrity,
security testing, documentation)
C2 Controlled access protection (object reuse and audit) F2+E2 EAL3
B1 Labeled security protection (labeling, label integrity, design verification) F3+E3 EAL4
B2 Structured protection (covert channel, device labels, subject sensitivity F4+E4 EAL5
14 078972801x FFacts 10/21/02 3:44 PM Page 603
Common Criteria
Orange Book TCSEC ITSEC Evaluation Assurance Level
labels, trusted path, trusted facility management, configuration
management)
B3 Security domains (intrusion detection, security administrator role definition) F5+E5 EAL6
A1 Verified design (verified design, more documented version of B, trusted F6+E6 EAL7
distribution)
á Media such as tapes, CD-ROMs, and disks á Application software maintenance controls—
These controls monitor installation and updates
á Personal digital appliances (PDAs), phones, and
to applications, and they keep a record of
wireless devices
changes.
á Modems and other communications devices
á Technical controls—These controls audit and
á Software, including licensed commercial software journal integrity validations, such as checksums,
and custom applications authentication, and file system permissions.
á Source code á Administrative or management controls—
á Documentation These control personnel screening, separation of
duties, rotation of duties, and least privilege.
á Deterrent controls—These controls reduce the
Types of Controls likelihood of attack.
To fulfill its objectives, operations security uses many á Preventative controls—These controls protect
types of controls, such as vulnerabilities, reduce the impact of attacks, or
á Operational controls—These are day-to-day prevent an attack’s success.
procedures, mechanisms that include physical and á Detective controls—These controls detect an
environmental protection, privileged entry com- attack and can activate corrective controls or pre-
mands, change control management, hardware ventative controls.
controls, and input and output controls.
á Corrective controls—These controls reduce the
á Audit and variance detection controls—These impact of an attack.
are audit logs that contain information on the
exercise of privilege and records of system activity. Table 8 lists and matches controls to types.
TABLE 8
SAMPLE CONTROLS MAPPED TO TYPES
PC Control Control Types from Different Schemas
Require passwords for access, require biometrics for authentication Technical Preventative
Disk locks Technical Preventative
Acceptable use policies, requiring virus check of portable media Operational Preventative
Checking for compliance Audit and variance detection Corrective
Using antiviral software Technical Preventative
Requiring file encryption Technical Preventative
Training in controls Management Preventative
Requiring that help desk or IT staff configure PCs, not users Management Preventative
Software code audit looking for buffer overflows Technical Input, output
Loading a personal firewall/IDS system Technical Detective
14 078972801x FFacts 10/21/02 3:44 PM Page 605
Role of Auditing Monitoring One of the tuning mechanisms is the capability to set
the number of errors or instances of unusual activity
Auditing, whether with logs or special intrusion detec- that will cause an alarm. This is called setting the clip-
tion, devices can be used to ping level.
á Audit for compliance to security policy.
á Audit for evidence of intrusion, attack, or com-
promise. Penetration Testing Techniques
To do a penetration test, you should do the following:
á Determine the target.
Intrusion Detection á Footprint or profile.
Intrusion detection is accomplished by extracting data á Enumerate the network.
and by the recognition of traffic and traffic patterns.
á Scan and enumerate services on the network.
A network-based IDS analyzes all traffic on the net-
work. A central management station usually manages á Operating system enumeration.
the information gathered by the host and network á Attack against a particular machine.
IDSs.
A host-based IDS requires loading software on the host
machine. The software listens to traffic coming and
going to and from its host machine. It can also take
Countermeasures to Threats
advantage of information in the computer’s logs and Table 9 gives examples of common threats.
monitor the integrity of the file system for a broader
picture of changes and attempted changes.
TABLE 9
C O M M O N T H R E AT S WITH EXAMPLES
Threat Notes Example
Errors Incorrect configuration. Default, well-known passwords are not changed.
Omission Patches are not applied. Patches for IIS were not applied, and many IIS servers
were infected with Code Red.
Fraud Company assets are obtained by misrepresentation Paycheck amounts were increased by claiming overtime
or modification of information. hours not worked, customer records were stolen, or
software was taken by employees for home use.
Misuse of information Sensitive, private information is used for Earnings knowledge used to buy or sell shares (insider
personal gain. trading).
Employee sabotage Employee uses knowledge of company operations Time-bombed code is loaded on servers by an
and systems to destroy or damage assets. administrator and destroys data the day after the
employee is fired.
continues
14 078972801x FFacts 10/21/02 3:44 PM Page 606
TABLE 9 continued
C O M M O N T H R E AT S WITH EXAMPLES
Threat Notes Example
Ignoring policy Employees know the rules but do not obey them. Accidents are caused by not following safety rules.
Accidental destruction of data backup caused by leav-
ing tapes in the trunk of a parked car during a summer
heat wave when policy states immediate transport in
air-conditioned vehicle.
Physical accidents These are as a result of physical circumstances Electric shock or moving parts of printers.
as opposed to system malfunction or inadvertent
misuse of the system.
Software malfunction Bugs or security vulnerabilities Buffer overflow causes a reboot or leaves the system
open to compromise.
Loss of resources Destruction of data center in full or in part. Fire, flood, storm, bomb, or explosion.
Loss of infrastructure Malfunction of equipment. A router or switch dies.
Hackers and crackers Attack on systems. Loss of data, loss of reputation, and destruction of sys-
tems.
Espionage Spies from another company join yours or pay Soft drink formula is stolen from database by employee
your employees to provide internal information. and sold to competition.
Malicious code Code is run on a system with undesirable results. Code Red, Nimda, I Love You, and so forth.
Tape Collects input tapes; sends/receives tapes from Automated tape library, Production data files, application
librarian offsite storage; maintains tapes and cartridges; problem/change management programs, and job control files
ensures adequate supply, tape storage, and vault; system
ensures critical backup; pulls historical files and
stores at local tape vault or ships to offsite location;
maintains logs; and controls physical inventory
tape library
Countermeasures to Internet threats include á Subdivide rooms with firewalls or man traps, and
á Footprinting/enumerating the network—Most keep fire doors closed.
information gained here is public knowledge. You á Use noncombustible building materials.
can, however, obscure some information.
á Store paper media separately from equipment.
á Scanning/enumerating services—Block all
unnecessary inbound and outbound ports.
á OS enumeration—Because many operating sys- The Role of Administrative
tem identity hints or direct identification infor-
mation are returned in banners (notices returned Management
when inquiries are made), where possible change Administrative management, the management of all
or eliminate the banner presented by services. things administrative, can serve a critical role in opera-
á Penetration testing—Become knowledgeable of tions security. Managers must concern themselves with
the tools and tests hackers use. Develop or find legal compliance, risk management, and fiduciary
tools that are countermeasures to these tools and (monetary) responsibility. These are impacted by opera-
methods. tions security. In addition, management plays a key role
in promoting education on security, overseeing compli-
Countermeasures to physical threats include ance, participating in policy-making and enforcement,
ensuring cross-departmental involvement, and
á Don’t build near explosion hazards, and don’t
approving funding.
locate a data center near any explosives. In addi-
tion, diesel-powered generators should not be
located near the data center.
Principles of OPSEC
á To avoid windstorm damage, don’t have exterior
windows and provide protection from possible Least privilege, separation of duties, and change man-
falling trees or manmade structures such as tow- agement can improve security and reduce the risk of
ers. fraud and accidental loss of data or data integrity.
However, many other operations and best practices
á Don’t place the data center on lower floors. contribute to the stability and security of information.
Break-ins occur more often on lower floors. Some of them are discussed in other domains. Legal
á Do not externally label data center locations or issues such as legal requirements; the standards of due
advertise in it phone books, Web sites, and so care/due diligence; and record retention, privacy, and
forth. protection are discussed in the legal domain. Data
backup is discussed in the Disaster Recovery and
á Avoid basement locations. Water damage can Business Continuity domain. Additional operations
result from flooding. Use watertight seals and security concepts and best practices are
reroute pipes and conduits away from the data
center if possible. á Privileged operation functions
á Don’t place media storage areas/vaults near flam- á Email security, including antivirus controls
mable or explosive material or near compressors,
water, and gas tanks.
14 078972801x FFacts 10/21/02 3:44 PM Page 609
á Handling—All data within the data center must á Disaster and continuity plans
be properly handled to ensure viability and confi- á Other aspects of computer operations
dentiality. Protect media by keeping it in its origi-
nal packaging and away from direct exposure to
heat, sunlight, and electrical shock or damage
from dropping.
14 078972801x FFacts 10/21/02 3:44 PM Page 610
á Phone numbers of restoration and alternative á Data vaulting—Either the transaction or the
sites—Including business, home, off-hour num- data file is transmitted to an alternative location
bers, cell, and other alternative numbers for locat- in real-time. This can include the capability for a
ing your contacts at these companies. hot backup to immediately take over processing.
á Co-location—An exact copy, say of a Web or
e-commerce site, is located at an alternative site
or ISP. The co-located site is immediately ready
Antidisaster Procedures to take over serving pages, accepting orders, and
It’s especially important that disaster recovery planning so on if a problem occurs at the main location.
pay attention to techniques for preventing disasters. á Hardware backup—Duplicate hardware is avail-
The following items should be considered: able either at the main site or alternative location,
á Locking hubs, routers, and switches in their own or both. It can immediately be put into service
wiring closets instead of leaving them exposed in and the latest backup restored.
public areas or housed with public utility access á Hardware- or software-based redundant array
points of inexpensive disks—Fault-tolerant disk sys-
á Limiting access to data centers, server rooms, and tems provide duplication of data or the capability
equipment closets to recover data in the face of drive failure. Several
techniques are used.
á Using approved fire-retardant materials in the
construction of data centers á Fail-over clustering—Multiple processors oper-
ate in a cluster and provide the capability to auto-
á Providing fire-extinguishing equipment and matically switch from malfunctioning units to
sprinkler systems where appropriate functioning units.
á Performing background screening of employees
á Using antivirus products on gateways, servers,
and desktops Alternative Sites
á Using screening firewalls, routers, and so on at Different types of alternative sites can be selected. They
both egress and ingress points into networks include
á Hot—Completely configured with equipment,
systems software, and appropriate environment.
14 078972801x FFacts 10/21/02 3:44 PM Page 613
Criminal, Civil, and á Trade secrets—Trade secret law allows the owner
of a trade secret to prevent others from using or
Administrative Law exploiting the secret. A trade secret might be
Criminal laws authorize the government to punish something like a customer list or an algorithm for
wrongdoers with financial penalties and incarceration. searching through data on a network. Trade secret
To convict a suspect under criminal law, the govern- law applies automatically to information a
ment must meet a high standard of proof—proof company treats as a trade secret.
beyond a reasonable doubt—that the suspect intentional-
ly did something wrong.
Civil laws, on the other hand, enable private parties to Sales and Licensing
enforce their rights—such as contract, tort, and proper-
When a programmer or contractor is hired to write
ty rights—through court orders and monetary awards
software, the employer typically obtains an agreement
for damages.
that all the programmer’s or contractor’s work product
Administrative law allows government agencies to inter- (inventions, copyrights, and trade secrets) are sold and
pret the laws they administer through official state- assigned to the employer. This arrangement is know as
ments or regulations and to enforce those laws through work for hire.
investigations, fines, and other sanctions.
14 078972801x FFacts 10/21/02 3:44 PM Page 614
A license is typically a contract that allows each cus- In contrast to the U.S., the European Union (EU) has
tomer to use the software (and the patents, copyrights, more comprehensive rules on individual privacy.
and trade secrets therein) under restricted terms but Traditionally, these rules have included restrictions on
does not allow the customer to remarket the software as “transborder data flows” that would allow private data to
his own. A license typically means a right to use but flow to countries whose laws would not protect that
not to own. data. The European Union’s Directive on Data
Protection forbids the transfer of individually identifi-
able information to a country outside the EU unless the
Privacy receiving country grants individuals adequate privacy
protection.
The United States has no comprehensive national law on
privacy. U.S. privacy laws tend to apply on a sector-by- To establish that data sent to the U.S. is granted ade-
sector basis. Several laws that affect the use and protection quate privacy protection, the EU and the U.S. govern-
of information systems and the data they manage are ment have negotiated a safe harbor. Under the safe
harbor, participating U.S. companies voluntarily agree to
á State laws and the federal Healthcare Insurance protect personally identifiable information from the EU.
Portability and Accountability Act (HIPAA) gen-
erally require healthcare providers to maintain the
confidentiality of patient information.
Federal Laws
á The federal Gramm-Leach-Bliley Financial
Federal laws that impact information processing are
Modernization Act requires financial institutions
to give customers notice about how their private á The federal Foreign Corrupt Practices Act
information will be protected or shared with (FCPA) requires publicly owned companies to
third parties. maintain adequate books and records and an ade-
quate system of internal controls. Normally, the
á The Privacy Act limits the ability of federal gov-
FCPA is enforced as administrative law by the
ernment agencies to disclose to the public or
U.S. Securities and Exchange Commission.
other agencies information they have about indi-
vidual citizens. á The federal Gramm-Leach-Bliley Financial
Modernization Act, and official guidelines pub-
á Generally, no American law requires that compa-
lished under the act, require financial institutions
nies post privacy policies with respect to people
to implement a security program to safeguard pri-
who visit their Web sites. However, many compa-
vate customer information in their possession.
nies do elect to post privacy policies to make visi-
tors feel more comfortable. á The U.S. Export Administration Regulations
require that exporters obtain licenses before they
Generally speaking, employees have no right to privacy export certain high-performance computers and
when communicating through corporate information microprocessors, as well as strong encryption.
resources if the employees are informed in advance that The U.S. Commerce Department’s Bureau of
they have no privacy. Therefore, many corporations Export Administration (BXA) administers and
publish notices to employees to the effect that manage- enforces these export controls. Noncompliance
ment might monitor their email or other electronic can lead to administrative sanctions and criminal
communications. penalties.
14 078972801x FFacts 10/21/02 3:44 PM Page 615
9. Plan and prepare for the seizure of target systems, á The “best evidence rule” says that to prove the
including the possible need for special experts terms of a “writing,” the original writing must be
and a search warrant. produced in court—not a copy—because the
10. Designate a search and seizure team, including a original is more reliable. When an electronic writ-
lead investigator, an IT security specialist, a legal ing is at issue, you can most easily satisfy the best
advisor, and technical staff. evidence rule with respect to that writing by per-
suading the court that the evidence being offered
11. Evaluate the risk to the target system before seiz- is an accurate representation of the writing.
ing it, including an anticipated reaction of the
suspect and the risk that evidence will be á The chain of evidence is a series of records show-
destroyed. ing where evidence came from, who was responsi-
ble for it, what happened to it, how it was
12. Execute the seizure plan. Secure and search the protected, whether it was changed, and so on.
location, preserve evidence, record each action
(such as in a notebook), videotape the process,
photograph the system configuration and moni-
tor display, and move the system to a secure loca- Fourth Amendment to the U.S.
tion. Constitution
13. Prepare a detailed report documenting facts and The Fourth Amendment to the U.S. Constitution pro-
conclusions. tects citizens from unreasonable searches and seizures
by government. Therefore, law enforcement normally
needs a court-issued warrant before searching or seizing
Evidence evidence, although there are exceptions, such as when
evidence is in plain view.
Some evidence is stronger or more credible than other
evidence. The credibility of evidence is usually deter-
mined by the trier of fact—in other words, the judge or
jury in the court—based on the following:
Forensics
The techniques for seizing and preserving electronic
á Strong evidence of a fact is called direct evidence;
evidence so as not to alter or destroy it are as follows:
weaker evidence is called circumstantial evidence.
á Restrict physical and remote access to the com-
á To be authentic, evidence must be supported by
puter.
something showing that the evidence is what it
purports to be. á If computer is off, do not turn it on.
á The “hearsay rule” excludes from court a state- á If computer is on, photograph the image showing
ment made outside the court that is repeated for on the screen and then unplug the computer.
the purpose of showing the statement is true. á Do not touch the keyboard.
á Do all forensic analysis of the electronic evidence
from a mirror copy of the disk on which the evi-
dence is originally stored.
14 078972801x FFacts 10/21/02 3:44 PM Page 617
2. If the machine is on, turn it off by pulling the á Compromises the privacy of users
plug. To record the state of the computer before
it was unplugged, photograph the image dis-
played on the monitor.
3. Before moving the computer, document the hard-
DOMAIN 10, “PHYSICAL
ware configuration with photographs and tags on SECURITY”
cables. Collect, package, and label removable
media such as floppy disks, tapes, and CDs pre- Elements of physical security are
sent in the premises of the PC. á Facility requirements—Such as site selection
4. Transport the computer to a secure location. and construction and perimeter control
5. Boot the computer without booting from the sus- á Technical controls—Such as card or token sys-
pect hard drive itself. Boot from a floppy, or tems
remove the hard drive and examine it using a sep- á Environmental/life and safety—Such as power
arate computer dedicated to forensic examina- and fire issues
tion.
á Physical security threats—Such as weather and
6. Using forensic software, make a bit-stream image other natural events and intentional attacks
of the suspect drive; then run a hash of the sus-
pect hard drive and the image to confirm the data á Elements of physical security—Such as sensors
in the two are the same. Next, document the sys- and surveillance
tem date and time. Forensics software can then be
used on the image copy to run keyword searches
through files, free space, and slack space.
Classification of Assets
Four physical asset classes are
á Facility—Building, rooms, workspace, backup
storage area, and so on
14 078972801x FFacts 10/21/02 3:44 PM Page 618
Site Location and Construction á Keys, including card systems and other tokens,
and window construction
Site location and the construction of a building and the
data center have an impact on the risks to systems. The Doors and key are passive controls. More active measures
following are some things to consider: require people or, in some cases, expensive automated
á Vulnerability to crime, riots, and demonstra- measures such as a computer-controlled card-access sys-
tions—Consider whether the location will make tem. The people could be guards or receptionists.
you vulnerable to such problems.
á Adjacent buildings and businesses—Do nearby Power
business attract types of attention you don’t want
Power issues and countermeasures are
directed toward your information systems facility?
If there is an adjacent building, can someone get á Surges, spikes, and brownouts—Use a UPS sys-
from it into yours and, if so, is its security as tem, which provides power management and there-
strong as your own? fore provides an even source of supply to computer
systems regardless of spikes and brownouts.
14 078972801x FFacts 10/21/02 3:44 PM Page 619
LEARNING AS A PROCESS
To best understand the nature of preparation for the
exams, it is important to understand learning as a
process. You are probably aware of how you best learn
new material. You might find that outlining works best
for you, or you might be a visual learner who needs to
“see” things. Whatever your learning style, test prepara-
tion takes place over time. Obviously, you can’t start
studying for the CISSP exam the night before you take
it; it is very important to understand that learning is a
developmental process. And as part of that process, you
need to focus on what you know and what you have
yet to learn.
Learning takes place when you match new information
to old. You have extensive experience in one or more
domains of the CBK, and now you are preparing for
the CISSP exam, which covers all 10 of them. Using
this book, and supplementary materials, will not just
add incrementally to what you know; as you study, you
will actually change the organization of your knowledge
as you integrate this new information into your existing
knowledge base. This will lead you to a more compre-
hensive understanding of the domains and information
security in general. Again, this happens as a repetitive Study and Exam
process rather than as a singular event. If you keep this
model of learning in mind as you prepare for the exam,
you will make the best decisions concerning what to
Prep Tips
study and how much more studying you need to do.
15 078972801x Tips 10/21/02 3:42 PM Page 622
Common-Sense Strategies You should set a goal for your pretesting. A reasonable
Finally, you should follow common-sense practices goal would be to score consistently in the 90% range.
when studying. You should study when you are alert, See Appendix D, “Using the PrepLogic Practice Tests,
reduce or eliminate distractions, take breaks when you Preview Edition,” for a more detailed explanation of the
become fatigued, and so on. test engine.
More Exam Prep Tips á The exam is long. It can be helpful to make a
Generic exam preparation advice is always useful. Tips rough calculation of how many minutes you can
include the following: spend on each question and use this to pace your-
self through the exam.
á Pay particular attention to definitions.
á Take advantage of the fact that you can return to
á Review the current exam study guide and the and review skipped or previously answered ques-
“Process for Becoming a CISSP” guide on the tions. Record the questions you can’t answer con-
(ISC)2 Web site. fidently, noting the relative difficulty of each
á Take any of the available practice tests. We rec- question, on the scratch paper provided. After
ommend the ones included in this book and the you have made it to the end of the exam, return
ones you can create by using the PrepLogic soft- to the troublesome questions.
ware on the CD-ROM. á If session time remains after you have completed
á Because there is a large amount of information to all questions (and if you aren’t too fatigued!),
learn, it is tempting to spend time memorizing review your answers. Pay particular attention to
definitions. Remember that you need to be able questions that seem to have a lot of detail.
to think your way through questions as well. á As for changing your answers, the general rule of
thumb is don’t! If you read a question carefully
and completely and thought you knew the right
Tips for the Exam Session answer, you probably did. Do not second-guess
The following generic exam taking advice you have yourself. If, as you check your answers, one clear-
heard for years applies when taking the CISSP exam: ly stands out as being incorrectly marked, of
course you should change it. If you are at all
á Take a deep breath and try to relax when you first
unsure, however, go with your first impression.
sit down for the exam session. It is very impor-
tant to control the stress you might (naturally) If you have done your studying and follow the preced-
feel when taking exams. ing suggestions, you should do well. Good luck!
á Carefully read all the information in the ques-
tions.
á Tackle the questions in the order in which they
are presented. Skipping around will not build
your confidence; the clock is always counting
down.
á Do not rush, but also do not linger on difficult
questions. The questions vary in degree of diffi-
culty. Don’t let yourself be flustered by a particu-
larly difficult or verbose question.
16 078972801x PExam 10/21/02 3:41 PM Page 625
Practice Exam
16 078972801x PExam 10/21/02 3:41 PM Page 626
B. Confidential data
16 078972801x PExam 10/21/02 3:41 PM Page 627
19. After a subject enters a pass phrase, what is 24. A user account name and an associated password
created by the system and used to perform the are the most common representations of which of
actual authentication? the following?
A. One-time password A. Biometric enrollment
B. Virtual password B. Identification and authentication
C. Single sign on password C. Two-factor authentication
D. Challenge token password D. Principle of least privilege
20. What is two-factor authentication? 25. Kerberos is most effective against which of the
following types of attack?
A. The process of typing in a username and a
password A. Denial-of-service
B. The use of a smart card B. Social engineering
C. The use of two authentication factors C. Playback
D. The use of a biometric device D. Dictionary attacks
21. Which of the following access control mecha- 26. The most secure firewall is which of the
nisms is easiest to administer in an environment following?
with a high personnel turnover rate?
A. Packet filtering firewall
A. Access control lists
B. Application gateway firewall
B. Rule-based access control
C. Kernel proxy firewall
C. Role-based access control
D. Screened subnet firewall
D. Discretionary access control
27. An attack against wireless communications on a
22. Which of the following is the least secure? network involves violating which of the follow-
ing?
A. Challenge-response tokens
A. Confidentiality
B. One-time passwords
B. Integrity
C. Static passwords
C. Availability
D. Dynamic passwords
D. Throughput
23. Accountability is provided through all but which
of the following security mechanisms? 28. SSL can be used to prevent which of the
following types of attacks?
A. Auditing
A. Man-in-the-middle
B. Lockout policy
B. Brute force and dictionary attacks
C. Identification
D. Authentication
16 078972801x PExam 10/21/02 3:41 PM Page 629
C. Denial-of-service C. Router
D. Eavesdropping and hijacking D. VPN
29. What is the most common reason a firewall has 34. Which of the following forms of communication
vulnerabilities? is essentially connectionless?
A. Use of multiple protocols A. Ethernet
B. Use of discretionary access controls B. TCP
C. Misconfiguration C. Frame relay
D. Spoofed attacks waged against a network D. ISDN
30. Which type of firewall is easiest to implement? 35. What is firewall security based on?
A. Static packet filter A. Roles
B. Dynamic packet filter B. Rules
C. Application gateway C. Classifications
D. Stateful inspection D. Sensitivity
31. PGP is a security mechanism that is effective 36. Which of the following is a valid function for a
against preventing which type of attack? firewall?
A. Malicious code delivery A. Convert
B. Denial-of-service B. Discard
C. Email spoofing C. Bounce
D. Hijack attacks D. Broadcast
32. VPNs with strong end-to-end encryption can be 37. WAN connections, such as frame relay, ATM,
implemented using which of the following? and X.25, operate at which layer of the OSI
model?
A. Kerberos
A. Session
B. SWIPE
B. Network
C. PPTP
C. Transport
D. CHAP
D. Data Link
33. Which of the following is considered a boundary
security mechanism? 38. Token-Ring operates at which layer of the OSI
model?
A. Gateway
A. Application
B. Firewall
B. Session
16 078972801x PExam 10/21/02 3:41 PM Page 630
C. Network C. 6
D. Physical D. 7
39. Routers operate at which layer of the OSI model? 44. Which networking topology generally requires
the least amount of network cabling when con-
A. Application
necting the same number of clients in a fixed
B. Session pattern?
C. Network A. Ring
D. Physical B. Star
40. Switches operate at which layer of the OSI C. Bus
model?
D. Mesh
A. Session
45. Which of the following is true?
B. Network
A. UTP cabling includes a foil sheath.
C. Transport
B. EMI is reduced by increasing the twists per
D. Data Link inch.
41. Routers provide a well-rounded security environ- C. All twisted-pair wiring can be used up to
ment when used in combination with which of 500 meters.
the following?
D. STP is impervious to tapping and eavesdrop-
A. Firewalls ping.
B. Proxies 46. All but which of the following are centralized
C. Gateways remote access authentication systems?
D. Switches A. DIAMETER
43. The TCP/IP layer model has how many layers? B. Network saturation
A. 3 C. Denial-of-service attacks
B. 4 D. Cabling problems
16 078972801x PExam 10/21/02 3:41 PM Page 631
48. Sockets are associated with which of the follow- 53. Which of the following is not a valid action that
ing protocols? can be taken against risk when performing risk
management?
A. IGMP
A. Reduce
B. TCP
B. Accept
C. IPX
C. Assign
D. SHTTP
D. Increase
49. What is another name for multi-port repeater?
54. What is acceptable risk?
A. Switch
A. Cost of countermeasures > value of object
B. Router
B. Cost of countermeasures < value of object
C. Hub
C. Attacker’s cost > value of object
D. Gateway
D. Attacker’s cost < value of object
50. Which of the following cable types can be
deployed in a single cable segment more than 200 55. What is the process of deploying countermeasures
meters in length? to eliminate risk known as?
A. 10BASE-2 A. Risk avoidance
B. ThickNet B. Risk acceptance
C. STP C. Risk mitigation
D. 100BASE-T D. Risk assignment
51. What are the primary goals of security? 56. What is the level of risk an organization is willing
to accept or assume to achieve a desired goal
A. Confidentiality, integration, and accessibility
known as?
B. Authentication, authorization, and account-
A. Risk avoidance
ability
B. Risk assignment
C. Availability, integrity, and confidentiality
C. Risk mitigation
D. Physical, logical, and administrative
D. Risk tolerance
52. When evaluating risk, what is calculated by sub-
tracting the applied countermeasures from the 57. What is the proper definition of risk?
identified risks?
A. Threat × vulnerability
A. Total risk
B. Threat × controls gap
B. Residual risk
C. Vulnerability × asset value
C. Controls gap
D. Vulnerability × single loss expectancy
D. Acceptable risk
16 078972801x PExam 10/21/02 3:41 PM Page 632
67. Where does security management start? C. Having an executive teach the security aware-
ness course
A. End users
D. Obtaining a signed statement indicating they
B. System administrators
have read and understood the security policies
C. Company owner and procedures
D. Department manager 72. What is the primary reason organizational security
68. What is awareness a prerequisite of? policies are not followed?
69. An organizational security policy should primarily 73. When defining security objectives, which of the
focus on which activity? following is the most important?
70. To ensure proper coverage and application, an 74. Which of the following organizational security plans
organization’s security policies should be linked is usually useful, stable, and applicable for 1 year?
with which of the following? A. Strategic plan
A. Countermeasures B. Operational plan
B. Risks C. Tactical plan
C. Operating systems D. Procedural plan
D. User roles 75. An operational plan can include all but which of
71. When hiring new employees, what is an impor- the following?
tant part of educating them in regard to the orga- A. Project descriptions, including key milestones
nization’s security policies and procedures?
B. The implementation schedule
A. Training in a classroom environment
C. Definitions of dependencies among strategies
B. Posting the security policies on an intranet and a logical sequence of initiatives
Web site
D. Assessment of the current environment, such
as risk assessment
16 078972801x PExam 10/21/02 3:41 PM Page 634
76. Which of the following is the most accurate C. Most software is secure right out of the box.
description of a common computer virus?
D. Modern software offers numerous features,
A. Malicious code that prevents legitimate and each must be evaluated in terms of
activity from occurring on a system security.
B. Malicious code that replicates using a host 80. What can be the result of the failure of a pro-
program grammer to properly handle software failures?
C. An error on a hardware device that causes A. System freezing or crashing (that is, a blue
data corruption screen)
D. An error caused by sending input to software B. Resetting to default configuration
of a volume larger than it was designed to
C. Elevation of auditing scope
handle
D. Restarting into privileged mode
77. Privacy is easily compromised when which of the
following is used on the Web? 81. Database access is usually directed through a con-
trolled client interface that provides which of the
A. HTML
following?
B. SSL
A. Availability and integrity
C. Cookies
B. Confidentiality and integrity
D. Digital signatures
C. Availability and authentication
78. What are errors or problems encountered through
D. Backups and redundancy
the violation of data input block size known as?
82. What is a mechanism that provides a structure
A. Buffer overflow
for gathered data known as?
B. Flooding
A. A storage device
C. Spoofing
B. A database
D. Denial-of-service
C. A hierarchical relationship
79. Which of the following is not true in regard to
D. A redundant array
software security?
83. What is a tuple?
A. Security is often disabled for ease of installa-
tion. A. A table stored in a database
B. Security must be configured for the specific B. A row in a database
environment. C. A collection of records of the same type
D. The attribute of one table that is the primary
key of another table
16 078972801x PExam 10/21/02 3:41 PM Page 635
84. What is the database component that holds the C. The number of elements
data that describes the database known as?
D. The number of relationships
A. A cell
89. Within a database, a referential integrity mecha-
B. The degree nism is designed to perform which function?
C. The data dictionary A. Upon an error, return the database to its pre-
viously saved state
D. The schema
B. Ensure that no record contains a reference to
85. Which of the following statements is not true
a primary key of a nonexistent record
regarding a hierarchical data model?
C. Terminate a transaction and execute all
A. It combines records and fields that are related
changes made by an administrator
in a logical star structure.
D. Verify that all structural and semantic rules
B. Parents can have one child, many children, or
are not violated
no children.
90. What is the ability of users to deduce information
C. It contains branches and leaves or data fields.
about data at higher sensitivity levels for which
D. It’s useful for mapping one-to-many relation- they do not have access privileges known as?
ships.
A. Aggregation
86. Which database model provides many-to-many
B. Inference
relationships between elements?
C. Granularity
A. Relational data model
D. Escalation
B. Hierarchical data model
91. What countermeasure can be used against the
C. Distributed data model
ability of users to deduce information about data
D. Inherent data model at higher sensitivity levels for which they do not
87. A(n) ______________ is an attribute in one rela- have access privileges?
tion that has values matching the primary key in A. Database partitioning
another relation.
B. Noise insertion
A. Candidate key
C. Polyinstantiation
B. Foreign key
D. Cell suppression
C. Relation block
92. Which life cycle model allows for project modifi-
D. Element set cations only to the preceding development stage
88. What is the cardinality of a database? within that cycle?
100. Which of the following denial-of-service attacks 105. The key length of ___________ is 160 bits.
takes the form of numerous incomplete initia-
A. MD5
tions of the TCP three-way handshaking process?
B. SHA-1
A. Smurf attack
C. MD2
B. Teardrop attack
D. 3DES
C. Fraggle attack
106. MD5 can be exploited using which type of
D. SYN flood
attack?
101. Which of the following is not a goal of a
A. Dictionary
cryptosystem?
B. Scanning
A. Confidentiality
C. Birthday
B. Availability
D. Spoofing
C. Integrity
107. Tripwire is a well-known utility used for which
D. Non-repudiation
purpose?
102. What is the data encryption standard (DES) an
A. Password database cracking
example of?
B. IDS
A. An asymmetric key encryption algorithm
C. Manipulating ACLs
B. A symmetric key encryption algorithm
D. File integrity checking
C. A non-repeating hash encryption algorithm
108. The Public Key Infrastructure (PKI) is designed
D. A repeating hash encryption algorithm
to provide or create a communications sharing
103. What is MD5 an example of? environment that is which of the following?
A. An asymmetric key encryption algorithm A. Restricted
B. A symmetric key encryption algorithm B. Controlled
C. A hash algorithm C. Trusted
D. A linear regression algorithm D. Available
104. IPSec provides protection of transmitted traffic 109. Proving the identity of both ends of a transaction
using which two methods or modes? using digital signatures, strong encryption algo-
rithms, and the protection of private keys
A. Linking and hashing
provides which of the following?
B. Transport and tunneling
A. Integrity
C. Reporting and logging
B. Trust
D. Stateful and connectionless
16 078972801x PExam 10/21/02 3:41 PM Page 638
119. DES, DSA, and ECDSA are all components of 124. Which encryption scheme is unbreakable because
_________. each pass phrase or authentication code is used
only once?
A. DES
A. Single sign on
B. DSS
B. One-way hash
C. RSA
C. Digital signatures
D. IPSec
D. One-time pad
120. Which of the following is a true statement about
hashing algorithms? 125. What is link encryption?
A. All use 128-bit hash values. A. An encryption system used to protect
hyperlinks in a Web document
B. All are one-way functions.
B. An encryption system that protects traffic
C. All are very slow.
only across a specific communications path
D. All process text in 1,024-bit blocks.
C. An encryption system that protects traffic
121. Which of the following can be used as a digital from source to destination
signature?
D. An encryption system that protects traffic
A. DES over VPNs
B. Blowfish 126. What is an outline of requirements necessary to
C. IDEA properly support a specific security policy?
123. When using a communications encryption sys- B. Many aspects of the design and architecture
tem, what is the most important aspect of the of a system are dependent on security
cryptographic mechanism? requirements.
128. A(n) ________ occurs if the operating system or C. Software is not trusted.
the software fails to properly set boundaries and
D. Hardware can’t directly support sufficient
restrictions on how much data can be sent to
physical RAM for most software products.
the CPU.
133. Which ring of the protection ring model is
A. Denial of service
designated for input and output device drivers?
B. Buffer overflow
A. Ring 0
C. Data corruption
B. Ring 1
D. Encryption key disclosure
C. Ring 2
129. Nonvolatile storage (such as floppy disks,
D. Ring 3
CD-ROM, and HDD) is labeled as which type
of memory architecture? 134. Which of the following statements about the
protection ring model is not true?
A. Primary storage
A. If an entity needs to access a resource in a
B. Secondary storage
ring of greater protection, a system call is
C. Real storage executed.
D. Virtual storage B. The higher the number, the greater the
protection provided within that ring.
130. What type of memory is also known as firmware?
C. Entities can access resources only within their
A. BIOS
ring and in rings of lower protection.
B. RAM
D. Rings are used to designate protection levels
C. ROM for various aspects of the software compo-
D. EPROM nents (kernel, drivers, utilities, application,
and so on) of a computer.
131. What is the most trusted physical component of
a computer? 135. The operating state labeled “problem state” is
identified as which of the following conditions?
A. RAM
A. An application is executing.
B. Storage devices
B. An application is ready to resume execution.
C. Motherboard/mainboard
C. A system level or privileged operation is
D. CPU underway.
132. Software uses virtual memory managed by a D. An error has occurred.
memory mapper component (that is, virtual
memory manager) in the kernel. Why is this 136. What is multitasking?
done? A. Opening several applications at once
A. It provides for faster memory usage. B. Processing more than one thread at once
B. It reduces system overhead.
16 078972801x PExam 10/21/02 3:41 PM Page 641
145. The Clark-Wilson model is primarily concerned 149. According to Trusted Computer System
with which of the following? Evaluation Criteria (TCSEC), which of the
following is the highest security valuation?
A. Prevention of unauthorized disclosure of data
A. A
B. Prevention of unauthorized modification of
data B. B
C. Prevention of inability to access data in a C. C
timely fashion
D. D
D. Prevention of data inference
150. Which TCSEC security label requires the use of
146. Separation of duties is a foundational element of security domains?
which security model?
A. C1
A. Biba model
B. B3
B. Clark-Wilson model
C. A1
C. Bell-LaPadula model
D. D
D. Information Flow model
151. Which TCSEC security designation is the highest
147. The Trusted Computer System Evaluation possible that still allows for the presence of covert
Criteria (TCSEC) is defined in which channels?
publication?
A. C2
A. Red Book
B. B1
B. Purple Book
C. B2
C. Yellow Book
D. A1
D. Orange Book
152. Which National Information Assurance
148. Which of the following is a replacement and an Certification and Accreditation Process
update to Trusted Computer System Evaluation (NIACAP) accreditation type is used to evaluate
Criteria (TCSEC)? a specific self-contained location?
A. Trusted Database Management System (TDI) A. Type
B. Common Criteria (CC) B. Site
C. Trusted Network Interpretation (TNI) C. Domain
D. Information Technology Security Evaluation D. System
Criteria (ITSEC)
16 078972801x PExam 10/21/02 3:41 PM Page 643
153. A closed system architecture has all features or 158. What is the primary goal of security configura-
characteristics except for which of the following? tion management?
A. Published specifications A. To ensure that all changes made to a system
do not result in reduced security
B. Proprietary
B. To ensure that changes made to a system are
C. Offers security through obscurity
performed only by authorized administrators
D. No significant third-party support
C. To track the activities of administrators’ use of
154. Which of the following is a type of covert channel? elevated privileges
A. Side band modem line D. To prevent end users from performing
B. Timing administrative tasks
C. Encrypted removable media 159. Change management should provide for all but
which of the following?
D. PGP protected email
A. Tracking and approving all changes to a
155. Which of the following is not a valid counter- system
measure for preventing the use of a backdoor?
B. Reducing negative effects on productive use
A. Network-based IDS of the system
B. Use of strict file system access controls C. Documenting changes to system security
C. Use of communication encryption protocols D. Preventing rollback to a previous version of
D. Auditing system activities the system
156. What is the security condition in which no single 160. Which of the following is not an appropriate
person has complete access to or control over all change management procedure?
the security mechanisms on a system known as? A. Catalog the intended change.
A. Preventative control B. Schedule the change.
B. Separation of duties C. Evaluate the change in light of industry
C. Detective control security standards.
157. Which of the following reduces the probability 161. Which of the following is not a valid procedure
of collusion between employees to perform for managing personnel security?
fraudulent activities? A. Skills assessment exams
A. Separation of duties B. Background checks
B. Detective controls C. Mandatory one-week vacation increments
C. Rotation of duties D. Separation of duties
D. Two-man controls
16 078972801x PExam 10/21/02 3:41 PM Page 644
162. An owner of an organization will be held liable 166. The goals of monitoring and auditing are all but
for costs associated with a security breach causing which of the following?
a loss if he is unable to ___________.
A. Resolution of problems
A. Produce a security policy
B. Identification of abnormalities
B. Show due care
C. Prevention of attacks
C. Identify a firewall deployment
D. Identification of normal events
D. Reference a list of job responsibility
167. What is the monitoring activity that obtains
designations
information simply by asking for it known as?
163. What is piggybacking?
A. Sniffing
A. When a person walks through a secured door-
B. Dumpster diving
way without self-authenticating immediately
behind someone who performed proper C. Social engineering
self-authentication D. Demon dialing
B. Replaying the packets of a captured session to 168. What is a clipping level?
restart the communication process
A. The point at which too much data is gathered
C. Adding malicious code to an email or a by an auditing system and events are lost.
document
B. The level below which all normal activities
D. Connecting to an open port over a VPN occur. Only events above this level should be
connection suspect.
164. What is the data that is still present on a storage C. The level at which too much data is being
device after it has been erased known as? transmitted over a network (that is, complete
A. Bad sectors saturation and consumption of available
bandwidth) and traffic is lost.
B. Recycled contents
D. The point at which an intruder in a honeypot
C. Data remnants
or padded cell is automatically disconnected.
D. File allocation table residue
169. The use of a clipping level allows for all but
165. Security controls should be which of the which of the following activities?
following?
A. Detection of slow, low-profile intrusion
A. As complex as possible attempts against a system
B. As exhaustive as possible B. Detection of high-occurrence repetitive
mistakes by a user
C. As transparent to the user as possible
C. Detection of users who are attempting to
D. As restrictive as possible
exceed their authorization levels
D. Detection of high-traffic directed intrusion
attempts
16 078972801x PExam 10/21/02 3:41 PM Page 645
170. Which of the following is not true? 174. Countermeasures for port mapping attacks
include all but which of the following?
A. Audit logs should be retained for historical
reference. A. Filtering traffic at a firewall
B. Audit logs should be protected from B. Disabling banners on network services
alteration.
C. Deploying a strong password policy
C. Audit logs should be capable of recording
D. Deploying an IDS
data during an event (in other words, 100%
availability). 175. A _______________ program is designed to
recover from a system freeze or malfunction by
D. Audit logs should be stored only on remov-
bypassing security and access controls.
able media.
A. Smurf
171. Which of the following is not a threat from
inappropriate activities? B. Superzapping
A. End users accessing pornographic, political, C. Sniffer
religious, or violent content D. SATAN
B. Managers conducting private business 176. Sniffers that support decoding capabilities are
C. System operators discussing confidential able to perform which activity?
material with non-employees A. Detect intrusion attempts
D. Program designers including omission errors B. Store their capture buffers on a storage device
in their custom scripts
C. Reveal the contents of captured traffic
172. All but which of the following are valid
countermeasures to traffic analysis vulnerabilities? D. Edit packets and retransmit them
179. Which of the following terms is used to label or 183. Which of the following is not one of the three
describe a minor disruptive event where an orga- primary goals of business impact analysis (BIA)?
nization must recover and continue to support
A. Downtime estimation
critical functions?
B. Criticality prioritization
A. Disaster recovery planning
C. Vulnerability assessment
B. Business continuity planning
D. Resource requirements
C. Backup restoration planning
184. Which of the following is a key element in the
D. Security policy planning
implementation process of a business continuity
180. Which of the following is not a factor of business plan?
continuity planning?
A. Industry standards
A. Provides a means to upgrade security
B. Employee awareness
mechanisms
C. Dry run testing
B. Reduces the risk of financial loss
D. Senior management approval
C. Mitigates risks associated with the disruptive
event 185. Which of the following should be true of an
organization’s business continuity plan?
D. Recovers from problems quickly
A. There should be only one.
181. When a disaster occurs, which of the following is
the most important and primary activity that B. Once developed, the plan requires no
should occur? maintenance.
A. Locate the off-site backup copies. C. Auditing the plan is unnecessary.
B. Order replacement hardware. D. Each department should have its own local
plan.
C. Ensure that all personnel are accounted for.
186. Disaster recover planning should address all but
D. Issue a press release regarding the disaster.
which of the following?
182. Who is ultimately responsible for the success of a
A. Paying investors recovery dividends
business continuity plan?
B. Providing backup operations during the
A. Security administrators
recovery process
B. End users
C. Providing for a salvage operation after the
C. Deployment operatives primary recovery is complete
D. Senior management D. The procedures necessary to respond to an
emergency
16 078972801x PExam 10/21/02 3:41 PM Page 647
187. Which type of subscription service site offers a 191. The process of backing up data to an offsite
computer facility readily available with electricity, location is known as which of the following?
air conditioning, and computers but does not
A. Remote storage
have applications installed?
B. Electronic vaulting
A. Hot site
C. Warm site development
B. Warm site
D. Database shadowing
C. Cold site
192. What is remote journaling?
D. Secondary site
A. Duplicating data sets to multiple servers
188. Which of the following is not a disadvantage of a
hot site? B. Batch processing transactions to an alternative
site
A. Low administration overhead.
C. Parallel processing of transactions to an
B. Expense.
alternative site
C. Service providers often oversell their
D. Transmitting data to an alternative site via
capabilities.
WAN connections
D. Contains a real-time mirrored image of
193. Which of the following is true of disaster recovery
production data.
plans?
189. Which of the following is not considered an
A. Testing can be performed by any means.
adequate resource for disaster recovery?
B. Demonstrated recovery capability exists even
A. Hot site
without testing.
B. Warm site
C. Tests only need to involve critical components
C. Cold site of the plan.
D. Secondary site D. If a plan is not tested, it does not work.
190. When selecting an offsite facility for use during 194. Which type of test involves the distribution of
disaster recovery, which of the following is the the plan to all appropriate personnel for review?
most important aspect to consider?
A. Checklist test
A. Cost
B. Structured walk-through test
B. Square footage
C. Simulation test
C. Distance from original site
D. Parallel test
D. Exclusive use
16 078972801x PExam 10/21/02 3:41 PM Page 648
195. Which type of test is a full test but the activities C. Salvage equipment from the original site.
at the production environment are not stopped?
D. Evaluate public relations damage.
A. Structured walk-through test
200. What is an important item that should be part of
B. Simulation test a disaster recovery plan but is often overlooked?
C. Parallel test A. Designation of an alternative site in the event
the primary site is destroyed
D. Full-interruption test
B. Adequate backup of data
196. Which type of test works through the recovery
plan up to the point just before alternative C. Quick restoration of business processes
processing is initiated?
D. Continuing to pay employees even if business
A. Checklist test production is interrupted
B. Structured walk-through test 201. Which of the following is not restricted in the
(ISC)2 Code of Ethics?
C. Simulation test
A. Acting dishonestly
D. Parallel test
B. Writing viruses
197. The ______________ team returns to the origi-
nal site only after the possibility of personal C. Providing incompetent service
injury is eliminated.
D. Detracting from the security profession
A. Recovery
202. Which of the following is not considered an
B. Salvage unethical activity by the Internet Activities Board
(IAB) according to RFC 1087?
C. Response
A. Gaining unauthorized access to resources on
D. Evaluation
the Internet
198. When is an emergency actually over?
B. Wasting resources
A. When personal danger is eliminated
C. Selling products over the Internet
B. When operations are fully functional at an
D. Compromising the privacy of users
alternative site
203. Which of the following is not part of the
C. When the organization fully returns to the
Generally Accepted Systems Security Principles
original site
(GASSP)?
D. When all critical functions are supported
A. The mission of an organization should be
199. When recovering from a disaster, what should be supported by the security policy.
performed first?
B. Sound management has a foundation of secu-
A. Restore the least critical functions. rity principles.
B. Restore critical functions.
16 078972801x PExam 10/21/02 3:41 PM Page 649
C. Computer security should be cost effective. 208. Modifying data through unauthorized means is
known as which of the following?
D. System security can’t be bound by societal
restraints or factors. A. Masquerading
204. Which of the following is not considered a com- B. Social engineering
puter crime?
C. Data diddling
A. Wasting resources
D. Superzapping
B. Password theft
209. Which of the following is not a significant restric-
C. Emanation eavesdropping tion to the investigation of computer crimes?
D. Distribution of malicious code A. Intangibility of evidence.
205. TEMPEST is used for what purposes? B. Evidence gathering requires no special skills.
A. Reading all email transmitted over the C. Compressed investigational time frame.
Internet
D. Investigations might interfere with normal
B. Retaining a copy of every Web site on the system operations and productivity.
Internet
210. In 1991, the U.S. Federal Sentencing Guidelines
C. Preventing the interception of RF emanations were revised in regard to punishments for break-
ing federal laws so that the severity of punish-
D. Tracking messages on the Internet for key
ment is a direct relation to the degree
phrases
_____________.
206. What is pretending to be someone else to gain a
A. The organization demonstrates due diligence
greater level of access known as?
B. The perpetrator demonstrates technical
A. Espionage
expertise
B. Masquerading
C. Of loss of public confidence and profitability
C. Scripting
D. Of the actual damage incurred
D. Superzapping
211. Which of the following is not an important
207. The theft of small amounts of information from aspect of showing due care?
numerous sources to reveal or extract highly con-
A. Creating disaster recovery and business
fidential information is known as which type of
continuity plans
attack?
B. Implementing data backups and providing for
A. Salami
hardware replacement
B. Birthday
C. Public access to periodic vulnerability assess-
C. Sniffing ments
D. Spoofing D. Intelligent use of physical and logical access
controls
16 078972801x PExam 10/21/02 3:41 PM Page 650
220. The act of encouraging the commission of a 224. When gathering evidence of a computer crime,
crime by an individual who initially had no printouts should be identified or labeled using
intention of committing a crime is known as what?
which of the following?
A. Removable stickers
A. Entrapment
B. Permanent markers
B. Enticement
C. Pencils
C. Entertainment
D. Hole punches
D. Espionage
225. What is the most important aspect of evidence
221. A computer incident response team (CIRT) is gathering?
responsible for all but which of the following?
A. Proper labeling
A. Reducing risk after an incident
B. Prevention of alteration or tampering
B. Gathering evidence related to an incident
C. Return of evidence to owner
C. Minimizing negative impact on public rela-
D. Enclosure in an air-tight container
tions due to an incident
226. What type of evidence proves or disproves a
D. Purging audit logs of details related to an
specific act through oral testimony based on
incident
evidence gathered through the witness’s five
222. Which of the following should be performed dur- senses?
ing the initial process of evidence gathering at the
A. Direct evidence
scene of a computer crime?
B. Best evidence
A. Reboot the system
C. Circumstantial evidence
B. Image the hard drive
D. Hearsay evidence
C. Turn off power supplies
227. What is evidence that is not based on personal,
D. Use a portable x-ray device to scan the con-
firsthand knowledge of the witness but was
tents of the computer boxes
obtained from another source known as?
223. Evidence must be all but which of the following?
A. Circumstantial evidence
A. Relevant
B. Opinions
B. Permissible
C. Hearsay evidence
C. Sufficient
D. Secondary evidence
D. Reliable
16 078972801x PExam 10/21/02 3:41 PM Page 652
246. The benefits of guards for maintaining a physical 250. What is the act of degaussing and overwriting
security perimeter include all but which of the data media for intended use outside the protected
following? and secured environment known as?
A. Ability to adjust to quickly changing A. Destruction
conditions
B. Purging
B. Available for a nearly infinite variety of
C. Cleaning
environments and conditions
D. Data mining
C. Able to recognize intrusion patterns in real
time
D. Able to make value judgments based on sub-
jective information Answers to Exam Questions
247. Dogs are often a more suitable alternative to 1. B. The principle of least privilege implies users
guards for numerous reasons, such as? are granted minimal necessary access to perform
their work tasks.
A. Cost
2. C. Mandatory access control must have subject
B. Reliability classification to control access. Discretionary,
C. Maintenance ACLs, and rule-based all employ object-specific
controls.
D. Liability issues
3. C. Spoofing is an active attack.
248. What is a mantrap?
4. B. Administrative, logical, and physical controls
A. A double set of doors often monitored by a are mechanisms of access control.
guard
5. B. Padded cells include a simulated environment,
B. A type of encryption algorithm logging capabilities, and malicious action restric-
C. A fence surrounding a secure facility tions, but they do not contain confidential data.
D. A perimeter traffic monitor 6. C. IDS is a detective security measure; it looks
for abnormal or unauthorized activity. IDS does
249. Which is the most common form of perimeter or
not prevent attacks directly, but it does inform
boundary protection?
system administrators of weaknesses that should
A. Dogs be patched. IDS is usually not reactive or correc-
tive. Some newer IDS products offer moderate
B. Guards
reactive activities, such as disabling breached
C. CCTV ports, but the CISSP CBK still defines IDS as
D. Lighting detective only.
7. B. IDS is weakest at detecting spoofing attacks.
16 078972801x PExam 10/21/02 3:41 PM Page 655
8. C. The crossover error rate (CER) is the perfor- 21. C. Role-based access control is the easiest to
mance rating for biometric devices that is used to administer for environments with high personnel
judge the relative effectiveness between similar turnover rates. Role-based access control assigns
devices from different vendors. privileges to roles instead of individuals. In envi-
ronments with a high rate of turn over, assigning
9. B. Legal ramifications are the most important
roles to new users is easier than modifying ACLs
aspect to consider when deploying a honeypot.
(which are discretionary controls) or altering
10. A. The Bell-LaPadula security model was rules.
designed to address confidentiality.
22. C. Static passwords are the least secure password
11. B. The Biba security model was designed to mechanism.
address integrity.
23. B. Lockout policy does not provide
12. B. Email filters are most effective against accountability.
spamming attacks.
24. B. A username and password are the most com-
13. C. Storage system quota management is not a mon representations of identification and
form of fraud prevention. Job rotation, mandato- authentication.
ry vacations, and separation of duties are all
25. C. Kerberos is most effective against playback
forms of fraud prevention.
attacks.
14. C. The * (star) property is associated with the
26. D. A screened subnet firewall is the most secure
Bell-LaPadula security model.
because it employs a screened subnet within
15. B. The order of security actions performed by which the bastion host firewall resides. This effec-
access control mechanisms is identification, tively adds another layer of protection the other
authentication, authorization, and then three firewall types do not offer.
accountability.
27. A. Confidentiality is primarily violated when an
16. C. Something you owe is not a valid authentica- attack is waged against wireless communications.
tion factor.
28. D. SSL can be used to prevent eavesdropping and
17. A. The simple integrity axiom can be simply hijacking attacks.
stated as no read down.
29. C. A firewall’s vulnerabilities are most often
18. B. A type II error is a false acceptance. caused by misconfiguration.
19. B. A virtual password is created from a pass 30. A. A static packet filter firewall is the easiest to
phrase that is used for the actual authentication implement.
process.
31. C. PGP is effective against preventing email
20. C. Two-factor authentication is the use of any spoofing attacks.
two authentication factors.
32. C. PPTP can be used to implement a VPN with
strong end-to-end encryption.
16 078972801x PExam 10/21/02 3:41 PM Page 656
33. B. A firewall is a boundary security mechanism. 52. B. Identified risk minus countermeasures is
residual risk.
34. A. Ethernet is a connectionless communication
form. TCP, frame relay, and ISDN are all 53. D. Increasing risk is not a valid action within risk
connection-oriented communication forms. management.
35. B. Firewall security is based on rules. 54. A. Acceptable risk occurs when the cost of coun-
termeasures exceeds the value of the object.
36. B. Discard is a valid function of a firewall.
55. C. Risk mitigation is the process of deploying
37. B. WAN connections operate at the Network
countermeasures.
layer (layer 3).
56. D. Risk tolerance is the level of risk an organiza-
38. D. Token-Ring operates at the Physical layer
tion is willing to accept or assume to achieve a
(layer 1).
desired goal.
39. C. Routers operate at the Network layer (layer 3).
57. A. Risk can be defined as threat × vulnerability.
40. D. Switches operate at the Data Link layer The control’s gap is the benefit gained by imple-
(layer 2). menting safeguards. It is the reduction of risk—it
41. A. Firewalls and routers provide a well-rounded is not used to calculate risk. Risk is also not a
security environment when used together. product of an asset value or SLE.
42. B. A star topology can be used by both Ethernet 58. A. A purely quantitative risk analysis is not possi-
and Token-Ring networks. ble because you can’t quantify a qualitative item.
43. B. The TCP/IP layer model has 4 layers. 59. B. Obtaining sign-off letters from management is
always an essential element of risk management.
44. B. A star topology generally requires the least
amount of network cabling. 60. B. Guidelines provide optional instructions
within an organization.
45. B. EMI is reduced by increasing the twists per
inch. 61. B. Top secret is the most sensitive classification.
46. D. CIRCUMFERENCE is not a centralized 62. D. Standards are defined by entities outside the
remote access authentication system. organization.
47. D. Cabling problems are the most common cause 63. C. A trade secret provides confidentiality of pro-
of network failures. prietary technical or business-related information.
48. B. Sockets or ports are associated with TCP. 64. B. An important aspect of the removal process is
to remind the former employee about your
49. C. A hub is a multi-port repeater. non-disclosure agreements.
50. B. ThickNet, or 10BASE-5, can be deployed 500 65. B. Availability, within the CIA triad, can also
meters. mean timeliness.
51. C. The primary goals of security as defined by the 66. B. Integrity can also mean non-repudiation.
CIA Triad are availability, integrity, and confiden-
tiality.
16 078972801x PExam 10/21/02 3:41 PM Page 657
67. C. Security management starts with the company 83. B. A tuple is a row in a database.
owner.
84. D. The schema is the database component that
68. C. Awareness is a prerequisite of security training. holds the data that describes the database.
69. B. A security policy should primarily focus on 85. A. A hierarchical data model combines records
end user behavior modification. and fields that are related in a logical tree
structure, not a star.
70. B. An organization’s security policies should be
linked to risks. 86. C. A distributed data model provides for many-
to-many relationships between elements.
71. D. An important part of new employee education
is to obtain a signed statement indicating the 87. B. A foreign key is an attribute in one relation
employee has read and understood the security that has values matching the primary key in
policies and procedures. another relation.
72. C. Lack of enforcement is the primary factor why 88. A. The cardinality of a database is the number of
organizational security policies are not followed. rows.
73. B. The most important aspect of defining securi- 89. B. A referential integrity mechanism is designed
ty objectives is that the object must be achievable. to ensure that no record contains a reference to a
primary key of a nonexistent record.
74. C. The tactical plan is usually useful, stable, and
applicable for only about 1 year. 90. B. The ability of users to deduce information
about data at higher sensitivity levels for which
75. D. An operational plan does not include assess-
they do not have access privileges is known as
ment of the current environment, such as risk
inference.
assessment.
91. A. Database partitioning is the countermeasure to
76. B. A common virus is malicious code that
prevent inference.
replicates using a host program.
92. D. The waterfall model allows for project modifi-
77. C. The use of cookies often compromises privacy.
cations only to the preceding development stage.
78. A. Violation of data input block size is a buffer
93. B. Live or real field data should never be used to
overflow.
test products.
79. C. Software is rarely secure right out of the box.
94. B. Level 2, the Repeatable level, of the SEI pro-
80. D. Restarting into privileged mode is a possible ject process maturity scale states that project prac-
result if software failures are not properly man- tices are institutionalized.
aged by program developers.
95. A. An expert system exhibits the reasoning capa-
81. B. Database access is usually directed through bilities similar to that of a human through the
a controlled client interface that provides collection of rules and the building of inference
confidentiality and integrity. mechanisms.
82. B. A mechanism that provides structure for
gathered data is known as a database.
16 078972801x PExam 10/21/02 3:41 PM Page 658
96. B. Compiled code poses a higher security risk 112. B. ESP provides limited authentication.
than interpreted code because malicious code can
113. A. WTLS is a wireless encryption protocol, not
be embedded in the compiled code and be
part of IPSec’s IKE.
difficult to detect.
114. B. S-HTTP is an alternative to SSL. S-HTTP
97. C. Accepting all digital certificates presented to
offers Web communication protection by
your system is not a mechanism for restricting
encrypting individual documents rather than the
malicious code. Digital signatures can be falsified
entire session.
or have untrusted backing and thus provide an
unrestricted path into your system. 115. C. SSH, or Secure Shell, is a secure replacement
for Telnet.
98. B. A worm is a type of malicious code that
self-replicates to other systems and does not need 116. A. WEP, or Wired Equivalent Privacy protocol, is
a host program to function. used to encrypt IEEE 802.11b (wireless)
communications.
99. A. Spoofing is not considered a denial-of-service
attack; it is an attack type of its own. Spoofing is 117. D. Teardrop is a DoS attack and is not aimed at
the impersonation of something other than who cryptography.
you are. 118. A. AES is a replacement for DES. DES is an
100. D. A SYN flood is a denial-of-service attack that older standard based on 56-bit keys and is easily
takes the form of numerous incomplete initia- broken by current technology. AES is a very
tions of the TCP three-way handshaking process. strong and very fast replacement. AES is based on
the Rijandael algorithm and uses 128-, 192-, or
101. B. Availability is not a goal of cryptosystems;
256-bit keys.
authenticity is.
119. B. DES, DSA, and ECDSA are all components
102. B. DES is an example of a symmetric key
of the Digital Signature Standard (DSS).
encryption algorithm.
120. B. All hash algorithms are one-way functions.
103. C. MD5 is an example of a hash algorithm.
121. D. El Gammal, an asymmetric key algorithm,
104. B. IPSec uses the transport and tunneling modes.
can be used as a digital signature.
105. B. SHA-1 has a key length of 160 bits.
122. C. HAVAL is a hashing algorithm.
106. C. MD5 can be exploited using the birthday
123. C. Key management is the most important aspect
attack.
of a cryptographic system. Without proper key
107. D. Tripwire is a file integrity checking utility. management, none of the other elements of an
encryption communication system matter.
108. C. The goal of PKI is to create trusted
environments. 124. D. A one-time pad is the encryption scheme that
is unbreakable because each pass phrase or
109. B. Proving identities provides trust.
authentication code is used only once.
110. C. PKI is an infrastructure.
111. C. ICMP can’t be protected by TLS or SSL.
16 078972801x PExam 10/21/02 3:41 PM Page 659
125. B. Link encryption is an encryption system that Protection can occur at any point between the
protects traffic only across a specific communica- subject and object. Security measures often regu-
tions path. late activities between programs and objects. The
simpler the security system is, the more likely it
126. A. A security model is an outline of requirements
will provide the intended security.
necessary to properly support a specific security
policy. 138. B. TCB is the collection of components within a
system that provides a specific level of trust (that
127. C. Security must be included as an initial aspect
is, security).
of product design; it shouldn’t be added after
initial development. 139. B. Resource isolation is required to provide
accountability on a system.
128. B. A buffer overflow occurs if the operating
system or the software fails to properly set bound- 140. B. The Take-Grant model is represented by a
aries and restrictions on how much data can be directed graph that specifies the rights a subject
sent to the CPU. can transfer to an object or that a subject can
obtain from another subject.
129. B. Nonvolatile storage is labeled as secondary
storage. 141. C. A state machine requires secure transactions.
130. C. ROM is also known as firmware. 142. C. The rows of an access matrix are known as
capability lists.
131. D. The CPU is the most trusted physical com-
puter component because it is the central element 143. D. The Bell-LaPadula model protects the
of a system. All the other components are confidentiality of data.
controlled by or accessed from the CPU.
144. A. The Biba model is lattice based.
132. C. Software is not trusted so virtual memory is
145. B. The Clark-Wilson model is primarily con-
used to create an access control layer between
cerned with the prevention of unauthorized
software and the physical components of the
modification of data.
computer (that is, the kernel and its resource
managers, such as the virtual memory manager). 146. B. The Clark-Wilson model requires separation
of duties.
133. C. Ring 2 is designated for I/O device drivers.
147. D. The Orange Book contains the details on
134. B. The lower the number, the greater the
Trusted Computer System Evaluation Criteria
protection provided by that ring.
(TCSEC).
135. A. A problem state is the state in which an appli-
148. B. Common Criteria (CC) is a replacement for
cation or problem is executing; it has nothing to
and update to TCSEC.
do with errors.
149. A. A is the highest security valuation as defined
136. C. Multitasking is processing more than one
by TCSEC.
process at once.
150. B. A B3 TCSEC certification requires the use of
137. A. The statement “The more complex a security
security domains.
system is, the less assurance it provides” is true.
16 078972801x PExam 10/21/02 3:41 PM Page 660
151. C. B2 is the highest TCSEC security designation 163. A. The act of piggybacking is when a person
that still allows for the presence of covert walks through a secured doorway without self-
channels. authenticating immediately behind someone who
performed proper self-authentication.
152. B. The NIACAP Site Accreditation type is used
to evaluate a specific self-contained location. 164. C. Data remnants are the elements of data
remaining on media after it has been erased.
153. A. A closed system does not have published
specifications. 165. C. Security controls should be transparent to the
user.
154. B. Timing and storage are the two most common
types of covert channels. 166. C. Monitoring and auditing don’t directly prevent
attacks. The results of monitoring and auditing
155. A. A network-based IDS would be ineffective
can be used to select countermeasures to protect
against a host-based backdoor; therefore, a
against future attacks.
host-based IDS should be used.
167. C. Social engineering is the monitoring activity
156. B. Separation of duties specifies that no single
that obtains information simply by asking for it.
person has complete access to or control over all
the security mechanisms on a system. 168. B. A clipping level is the level below which all
normal activities occur; only events above this
157. C. Rotation of duties reduces collusion because
level should be suspect.
multiple people will have the skills to review the
activities within any specific job position and 169. A. Clipping levels are ineffective against slow,
detect fraud or other crimes. It also forces the low-profile intrusion attempts.
criminal element to involve more people in the
170. D. Audit logs can be stored on removable media,
conspiracy to keep things quiet because each time
but it is not a universal requirement.
jobs are rotated, new individuals become capable
of detecting the crime. 171. D. Program designers including omission errors
in their custom scripts is a threat because of
158. A. The primary goal of change management is to
accidental loss, not inappropriate activities.
ensure that all changes made to a system do not
result in reduced security. 172. A. The use of encryption does not prevent traffic
analysis.
159. D. Change management should provide for
rollback to a previous version of the system. 173. B. SATAN is a vulnerability scanner.
160. C. Change evaluation in light of industry security 174. C. A strong password policy, although a good
standards is not an appropriate procedure in the security measure, is not a countermeasure against
process of change management. port mapping. Useful port mapping countermea-
sures include filtering traffic at the firewall,
161. A. Skills assessment exams are not part of
disabling banners on network services, and
personnel security management.
deploying an IDS.
162. B. Owners must show due care to avoid full
responsibility for a security breach.
16 078972801x PExam 10/21/02 3:41 PM Page 661
175. B. A superzapping program is designed to recover 189. C. A cold site is not considered an adequate
from a system freeze or malfunction by bypassing resource for disaster recovery because of the time
security and access controls. required to install and configure systems for
productive operation.
176. C. A sniffer’s ability to decode is used to reveal
the contents of captured traffic. 190. C. The distance from the original site is the most
important aspect to consider. It should be far
177. D. nmap is a port scanner.
enough away not to be involved in the same dis-
178. D. IPSec authentication is a countermeasure for aster as the primary site but close enough that
session hijacking. traveling is not extensive.
179. B. Business continuity planning is used to label 191. B. Electronic vaulting is the process of backing
or describe a minor disruptive event where an up data to an offsite location.
organization must recover and continue to
192. C. Remote journaling is parallel processing of
support critical functions.
transactions to an alternative site.
180. A. Upgrading security mechanisms is not a factor
193. D. If a plan is not tested, it does not work.
of business continuity planning. All the other
selections are aspects or factors of business 194. A. A checklist test involves the distribution of the
continuity planning. plan to all appropriate personnel for review.
181. C. Personnel safety is always the highest priority. 195. C. A parallel test is a full test, but the activities at
the production environment are not stopped.
182. D. Senior management is ultimately responsible
for the success of a business continuity plan. 196. C. A simulation test is a type of test that works
through the recovery plan up to the point just
183. C. Vulnerability assessment is often part of
before alternative processing is initiated.
performing a BIA, but it is not one of the goals
of a BIA. 197. B. The salvage team returns to the original site
only after the possibility of personal injury is
184. B. Employee awareness is a key element in the
eliminated.
implementation process of a business continuity
plan. Senior management approval is not a key 198. C. Only when the organization has fully returned
element because it’s the step before implementa- to the original site is the emergency over.
tion.
199. A. The first step in recovering from a disaster
185. A. There should be only a single business should be the restoration of the least critical func-
continuity plan per organization. tions. This allows for testing of procedures, con-
nectivity, infrastructure, and so on so that if there
186. A. Paying dividends is not an issue to be included
are any errors or problems, they can be detected
in a disaster recovery plan.
and resolved before the critical functions of the
187. B. A warm site has a functional facility with organization are affected.
hardware but no software or configuration.
188. A. Hot sites have a high administrative overhead.
16 078972801x PExam 10/21/02 3:41 PM Page 662
200. D. Having a mechanism to continue to pay 213. D. The prudent man rule from the 1991 U.S.
employees even if business production is stopped Federal Sentencing Guidelines states that senior
is an important and often overlooked aspect of officials must perform their duties with the same
disaster recovery planning. care that ordinary sensible people would exercise
under similar circumstances.
201. B. Writing viruses is not specifically restricted in
the (ISC)2 Code of Ethics. 214. B. A legally recognized obligation must be
demonstrated to prove negligence.
202. C. Selling products over the Internet is not con-
sidered an unethical activity by the IAB according 215. D. Common law is based on precedent (in other
to RFC 1087. words, court and judicial decisions established in
previous cases).
203. D. The GASSP does state that system security is
bound by societal restraints or factors. 216. B. Criminal law is directed toward protecting the
public.
204. A. Wasting resources is not considered a comput-
er crime. 217. A. A patent provides the creator of a work
exclusive rights for 17 years.
205. C. TEMPEST is used to prevent the interception
of RF emanations. 218. B. European privacy laws are more restrictive
than U.S. privacy laws. For example, collecting
206. B. Masquerading is the act of pretending to be
personal data to use as marketing demographics is
someone else to gain a greater level of access.
more strictly regulated in Europe than in the U.S.
207. A. A salami attack is the theft of small amounts
219. D. Privacy can’t be guaranteed when electronic
of information from numerous sources to reveal
monitoring is used.
or extract highly confidential information.
220. A. Entrapment is the act of encouraging the com-
208. C. Data diddling is the act of modifying data
mission of a crime by an individual who initially
through unauthorized means.
had no intention of committing a crime.
209. B. Evidence gathering requires special skills,
221. D. The CIRT team should retain and protect
usually those of a systems expert or forensic
evidence, not purge it.
specialist.
222. B. Imaging the hard drive is the only action out
210. A. The severity of punishment is related to the
of this list of options that should be taken during
degree the organization demonstrates due
the initial process of evidence gathering at the
diligence.
scene of a computer crime.
211. C. Revealing the results of periodic vulnerability
223. C. Sufficiency is not an aspect of evidence; that is
assessments is not part of due care.
up to a judge or jury.
212. D. Legal liability exists if the countermeasure is
224. B. Printouts should be labeled using permanent
less than the expected loss from an exploited
markers.
vulnerability.
225. B. Prevention of alteration or tampering of evi-
dence is the most important aspect of evidence
gathering.
16 078972801x PExam 10/21/02 3:41 PM Page 663
226. A. Direct evidence proves or disproves a specific 241. B. 40%–60% humidity is ideal for the operation
act through oral testimony based on evidence of computer components.
gathered through the witness’s five senses.
242. C. Static electricity of 2,000 volts will cause a
227. C. Hearsay evidence is not based on personal, system shutdown.
firsthand knowledge of the witness but is
243. C. A Class C fire extinguisher should be used for
obtained from another source.
electrical fires. Class A fire extinguishers are used
228. A. Hearsay evidence is generally inadmissible in for common combustibles. Class B fire extin-
court. guishers are used for liquid fires. There is no
Class AB fire extinguisher.
229. C. Interrogation is the act of gathering or discov-
ering enough evidence about a subject to consider 244. D. A preaction pipe is recommended for comput-
an individual a suspect. er centers because it can be disabled and drained
in the event of a false alarm or quickly averted
230. D. The U.S. Privacy Act of 1974 applies to
emergency before damaging electronic
federal agencies and is directed toward the protec-
components.
tion of information about private individuals that
is stored in government databases. 245. B. FM-200 is the replacement gas for Halon.
231. C. Training is an administrative security control. 246. B. Guards can’t be used in numerous environ-
ments, and many environments don’t support
232. D. Fire detection and suppression are technical
human presence or intervention.
security controls.
247. B. Dogs are reliable perimeter controls.
233. B. Property tax rate is not a security concern.
248. A. A mantrap is a double set of doors often
234. D. Telephone company proximity is not a securi-
monitored by a guard.
ty or safety consideration.
249. D. Lighting is the most common form of
235. D. A human incompatible server/equipment area
perimeter or boundary protection.
does not provide for or double as a personnel
shelter. 250. B. Purging is the act of removing data remnants
from media for use outside the protected
236. B. Unauthorized disclosure violates
environment.
confidentiality, not availability.
237. C. Security controls must always comply with
laws and regulations.
238. B. Hardware should be replaced as it reaches its
mean time between failures.
239. B. Sag is momentary low voltage.
240. A. Traverse mode noise is the EMI generated by
the difference between hot and neutral wires.
16 078972801x PExam 10/21/02 3:41 PM Page 664
17 078972801x Part3 10/21/02 3:42 PM Page 665
III
P A R T
APPENDIXES
A Glossary
A P P E N D I X A
Glossary
A
abstraction When data is managed as a collection application software maintenance controls These
called an object, it is called abstraction. controls monitor installations, updates to applications,
and changes.
access control An extension of administrative proce-
dures that tell administrators how to configure authen- Application Specific Integrated Circuit (ASIC)
tication and other access control features of the various ASICs are special purpose computer chips that are
components. designed to perform specific tasks and functions—for
example, switching functions.
Address Resolution Protocol (ARP) Allows a host
to determine an unknown remote destination physical ARCnet This network access methodology uses a
address from a known logical address. It is typically token-bus access method for delivering data at 2.5Mbps.
used for mapping IP addresses to MAC addresses.
asset valuation The evaluation of assets and the risk
administrative management The management of all associated with their loss.
things administrative, such as personnel management,
assurance The confidence that a product or process
recordkeeping, and the like.
meets security objectives defined for it.
administrative or management controls Personnel
Asynchronous Transfer Mode (ATM) ATM is a
screening, separation of duties, rotation of duties, and
LAN/WAN transmission method that uses fixed length
least privilege are examples of administrative controls.
53-byte cells for transmitting data at rates up to
American Standard Code for Information 10Gbps. ATM uses permanent virtual circuits and
Interchange (ASCII) ACSII is most commonly used switched virtual circuits to identify connections.
for text file formatting. ASCII uses a 7-bit binary
audit An examination of a set of data against a set of
number to represent characters.
rules to determine whether it is in compliance with the
Annual Loss Expectancy (ALE) A mathematical for- rules.
mula used in risk analysis to determine the potential
audit and variance detection controls Audit logs
amount of money represented by a business interrup-
contain information on the exercise of privilege or
tion event.
records of system activity. Variance detection products
annualized rate of occurrence The ratio of the detect and may send alerts when unusual activities occur.
estimated possibility that a threat will take place in a
authentication Authentication is a matter of what
one-year time frame.
the entity knows, what they may have, or who the enti-
ty is. For strong authentication, use at least two of these
principles.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 668
authenticity The requirement in law that evidence Best Evidence Rule A requirement in law that evi-
must be established as being authentic before it is dence of a writing must normally be the original writing
accepted in court. itself rather than a copy. The rule has many exceptions
and is of little relevance to electronic evidence.
authorization The process of granting permission to
specific resources. Biba Model integrity model Another formal access
control mode. In this mode a set of rules states that a
awareness training Making employees aware of the
subject can’t depend on object or other subject that is
importance of information security, its significance,
less trusted than itself.
and the specific security-related requirements relative to
their position; the importance of confidentiality, pro- blended malware Malware that can use several attack
prietary, and private information. vectors to infect systems and networks. It also uses vari-
ous techniques to do harm.
boot sector virus A virus that infects the boot sector
B of a computer.
Bootstrap Protocol (BootP) BootP is a protocol
backup procedures The procedures that detail how
that allows for the automatic network configuration
copies of data are kept so that they will be available
and booting of devices, particularly diskless work-
should recovery be necessary. They should also address
stations. BootP is a predecessor of DHCP.
the potential need for equipment.
bridge A data link layer network device that is used
banner grabbing A technique in which Telnet or
to segment network traffic. Bridges can learn the MAC
other sessions are started with a computer in hopes of
addresses of hosts on segments which allows it to filter
getting the banners, or blurbs, which tell about the ser-
traffic from segments that do not contain the destina-
vice, back for analysis. Banners can tell an attacker
tion.
much information about the system.
British Naval Connector (BNC) BNC connectors
baselines Used to create a minimum level of security
are used to connect coaxial networks using a half lock-
necessary to meet policy requirements.
ing mechanism.
basic input/output system (BIOS) Provides the
broadcast A broadcast is a packet or frame that is
basic information on hardware devices including stor-
addressed to all hosts on a network.
age devices, as well as security, boot sequence.
brute-force attack An attack in which every possible
Bell-LaPadula model Security policy model of the
combination of characters is tried in order to crack a
Orange book. It is a state transition model of security
password.
policy, and it describes access control rules. In this
model, entities in a computer system are divided into buffer overflow An error condition where too much
an abstract set of subjects and objects; each change in data is entered into a program or some portion of a pro-
computer system state must not change security. gram. A buffer, or area in memory, is reserved to hold
System state is secure if only access by subjects to the entry and is too small for the amount of data
objects is in accordance with policy. Policy grants clear- entered. The result of a buffer overflow can be a simple
ance (is access authorized by this subject?) to a subject crash of the program, or it can result in a situation where
based on classification of the object. an attacker can run code of his choice on the system.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 669
business continuity planning (BCP) The process of centralized controlled computing Computers may
determining those critical business functions that must be distributed but configuration, maintenance and con-
be quickly restored after a business interruption event if trol is centralized.
the business is to survive. Also, the development of steps
centralized system All computing takes place in one
to ensure this occurs. It encompasses both disaster-
place.
recovery planning and business-resumption planning.
chain of evidence (or Chain of Custody) A series of
business impact assessment (BIA) An analysis of the
records showing where evidence came from, who was
impact of the loss of business processes. A financial loss
responsible for it, what happened to it, how it was pro-
is calculated over time and used to determine the maxi-
tected, whether it was changed, and so on.
mum tolerable downtime for each process. The BIA
results are then used to identify the most critical process- change control Maintenance and tracking of changes
es and how quickly them must be brought back online. to hardware and software.
Resources can then be allocated to assist planners and channel The path used for information system
business process owners in ensuring this activity. transfer.
business resumption planning (BRP) The process of channel service unit/data service unit (CSU/DSU)
detailing the recovery of critical operational processes. The CSU/DSU acts as a buffer between the CPE and
the provider network, ensuring that faulty CPE cannot
affect the provider network. The CSU/DSU converts
C data from LAN technologies to WAN technologies.
Clark-Wilson model of security policy An access
cache CPU memory storage that the CPU can access control model designed for commercial deployment. It
faster than RAM. Level-2 cache is usually a dedicated, features nondiscretionary access control, privilege sepa-
small memory subsystem, while Level-1 cache is a ratism, and least privilege.
smaller memory subsystem that is built into the CPU
chip. clearance A level associated with a user in a system
that has mandatory access control. A user with a clear-
capture The file of captured packets collected by the ance can access information with a sensitivity label
sniffer. equal to or lower than her clearance.
carrier sense, multiple access/collision detection clearing If writable media is to be reused, it is made
(CSMA/CD) CSMA/CD is the network access available by overwriting the classified information.
methodology employed by Ethernet. With CSMA/CD, (This does not lower the classification level of the
when a host decides to transmit, it first listens to deter- media.)
mine whether it detects a signal. If it does not, it then
attempts to transmit. Finally, it listens to determine clipping level That level at which repeated errors will
whether a collision occurred and the data needs to be trigger an alert.
retransmitted. closed system A computer system that does not use
catastrophe An event which causes enough damage normal user interfaces and limits users to a single appli-
to require significant restructuring of an environment. cation or language.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 670
cold site An alternative process site that only pro- controls The means to prevent misuse or abuse of
vides the basic environment. Wiring, power, and air privileges while allowing authorized individual or
conditioning should be available, but no computers or processes to do their jobs.
peripherals are present.
cooperative hot site A site owned by a group
co-location A second location for business opera- (departments, divisions within a company, partner
tions. Data is constantly refreshed at the co-location so companies, strategically aligned companies, or associa-
that if the prime site fails, the co-location site can tions) and available to members of the group during an
immediately take over operations. Web sites are often emergency.
co-located to ensure constant and consistent operation
copyright The exclusive right to exploit a written
no matter the interruption.
work such as a novel, photograph, or software program.
compartmentalization Isolation of OS, user pro-
corrective control A control that reduces the impact
grams, and data files from each other provides protec-
of an attack.
tion against unauthorized access. Also, breakdown of
sensitive data into small blocks to reduce risk of unau- counteranalysis A technique that seeks to confuse
thorized access. the enemy with misinformation.
computer facility The facilities where computers will countermeasure A method that will prevent or miti-
be used, including the structures or parts of structures. gate the effect of an attack.
For small computers, standalone systems, and word covert channel Communications channel that allows
processing equipment, it may be defined as the physical information to be transferred outside of the security
area where the computer is used. policy through an abnormal path which is therefore
computer incident response team (CIRT) The CIRT not protected by normal security.
is the group of people designated to respond to security covert storage channel Allows one process to store
incidents. CIRT is synonymous with CERT (Computer and another to read, from the same location. Each
Emergency Response Team), but CERT is a trademark. process has separate and different security levels.
computer premises equipment (CPE) CPE refers to covert timing channel One process signals another
the customer-owned, -managed, and -maintained by modifying systems resource use, in order to affect
equipment at the customer location that typically con- the response time. The second process can see this dif-
nects to a service provider. ference.
confidentiality The secrecy of the information asset. cryptographic keys Using public key cryptography,
confidentiality, integrity, and availability (CIA) the user has a private key, or digital signature, that is
Represents the three basic principles of computer security. used to sign a common hash value that is sent to the
authentication server. The server can then use the
configuration management Maintenance and track-
known public key for the user to decrypt the hash.
ing of changes to hardware and software.
cyclic redundancy check (CRC) CRC is a mathe-
conflict of interest An unethical state of affairs in
matic calculation for ensuring data integrity. When the
which a professional has incentive to serve two incon-
source system transmits a data frame, it calculates the
sistent objectives, such as a duty to serve her employer
CRC and places the result at the end of the frame.
while she is being paid a bribe to serve a vendor to her
employer.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 671
When the destination receives the data frame, it recal- data recovery In the event of an error, or system
culates the CRC and compares the result to the result crash, the system can recover. Transactions in process at
that the source sent. If they match, the data is complete the time of the crash are checked and either rolled back
and error free. If they do not, there is an error in the or forwarded to complete a transaction and maintain
data and it is discarded. data consistency.
data redundancy The same data stored in multiple
places.
D data remanence Data left over after data is deleted
from the system.
data classification The classification used is depen-
dent on the overall sensitivity of the data and the levels data reuse Data gathered for one use is made avail-
of confidentiality desired. able elsewhere.
data communication equipment (DCE) DCE is data terminal equipment (DTE) DTE is the system
any device that connects a system to a communications that connects to a communications channel or public
channel or public network. network.
data consistency Data viewed or retrieved in differ- data-vaulting The process of storing data at remote
ent ways will be the same. A transaction will maintain locations by electronically moving the data. As data is
data consistency. modified at the prime location, it is refreshed at anoth-
er location.
data duplexing The process of data mirroring where
two disk controllers are present. Data mirroring might data warehouse An aggregate of an organization’s
also exist when only one disk controller is available but information.
might be less efficient because the controller must be database management system (DMBS) The man-
responsible for two disk writes. agement processes control database creation, manipula-
data hiding This is when data is unknown by and tion, and access.
inaccessible from other layers. decentralized Computing facilities exist throughout
data independence A characteristic of database sys- the company. They may or may not be linked with
tems. The data stored in the database can be used by each other.
multiple applications, even by applications which have degauss To use a demagnetizer to alter the magnetic
not been developed yet. composition of the data media. This effectively cleans
data mining An analysis technique that requires spe- the disk leaving little trace. In short, the data cannot be
cialized software and highly trained analysts. recovered and the disk is reusable. In technical terms, a
variable, alternating current (AC) field (in which cur-
data mirroring The process of writing data twice. A
rent alternates from zero to some maximum value and
minimum of two data drives is provided and data is
back again) is applied for the purpose of demagnetizing
written to both drives. Should one drive fail, the other
magnetic recording media.
can be used instead.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 672
degausser An electrical device (AC or DC), or a Directive on Data Protection A law within the
magnet assembly that can be used to degauss magnetic European Union requiring the protection of personal
media. information and forbidding the exportation of personal
data to countries with inadequate privacy laws.
denial of service (DoS) An attack on a computer
system that results in legitimate users not being able to disaster recovery planning (DRP) The process of
access it. detailing the recovery of critical technology operations.
dense wave division multiplexing (DWDM) discretionary access control (DAC) Restricts access
DWDM uses different colors, and thus wavelengths, of to system objects (files, directories, devices) based on
light to transmit multiple data streams simultaneously user id and groups. A user with some access permission
over a single physical connection. can pass this on to another user.
destruction Physically altering ADP-system media or discretionary security protection In this model,
components so they are no longer usable for data stor- users process data at their security level. Security fea-
age or retrieval. tures prevent over writing of system memory, or of
interfering with other users’ work.
detective control A control that protects vulnerabili-
ty, reduces impact of attack, or prevents its success. distributed In a distributed environment, computers
are everywhere and so is the processing of data.
deterrent control A control that reduces the likeli-
hood of attack. dynamic random access memory (DRAM)
Memory composed of transistors and paired capacitors.
dictionary attack An attack on passwords that use
the password encryption algorithm to encrypt each
word in a dictionary and compare it to passwords in
the encrypted password file. A match means a password E
has been found.
eavesdropping The gathering of information by
differential backup Data files that have changed
observing and listening in on transmitted data, for
since the last backup are copied during differential
example with a sniffer.
backups. Files are not marked as backed up. The next
backup copies files changed since the differential back- elevated privileges attack An attack in which an
up, as well as all files previously copied in the differen- attacker hopes to obtain or increase his privileges on a
tial backup. This continues until a full backup or victim computer.
incremental backup is performed.
encryption Encryption uses algorithms to convert
Digital Millennium Copyright Act (DMCA) A fed- data into an unintelligible form. In basic terms,
eral law that makes it a crime to make, sell, or distrib- encryption uses a secret key, a private value, to perform
ute products or services intended to circumvent the a mathematical function on the data to make it unus-
encryption or other technical devices that copyright able by the casual observer.
owners use to protect their copyrighted material. The
environment The collection of all circumstances,
DMCA also makes it a crime to break encryption or
conditions, and objects, including external ones that
other devices for the purpose of gaining unauthorized
have an effect on system development, operation, and
access to copyrighted material.
maintenance.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 673
erasure Magnetic media is expunged by degaussing, extranet An extranet is a network connection that
either by AC current or DC current or by using a provides external access to internal resources. Extranets
magnet. typically refer to the connection between communica-
tions partners networks.
escort An appropriated cleared individual assigned to
control the activities of the person begin escorted. The
escort should have appropriate clearance and authoriza-
tion as well as understand the security implications of F
the access and activities of the escorted person.
fail-over cluster Multiple processors, drives, and other
Ethernet A network protocol and cabling scheme
hardware work together to provide an environment
that uses the CSMA/CD access method to transmit
where the failure of one component (CPU, drive, and
data at speeds from 10Mbps to 10Gbps.
so on) will not mean the failure of processing. Should
ethical hacking A technique that uses hacker tools one system fail, the other takes up the operation.
and techniques to attack a network or computer with
fair information practices Recognized methods for
the purpose of finding vulnerabilities and making them
protecting privacy of personal data. They include the
known to the owners of the network or computer.
rights of the data subject to notice about how data will
Evaluation Assurance Level (EAL) Assurance com- be collected and used, choice about whether it will be
ponents representing a point on the predefined assur- collected, and reasonable protection of the data to
ance scale. ensure accuracy, integrity, and security.
Exclusionary Rule A rule in constitutional law that Federal Emergency Management Agency (FEMA)
aims to enforce the rights granted under the Fourth A U.S. agency charged with providing support and
Amendment. The rule states that if evidence is collect- funding during and after disasters.
ed in violation of the Fourth Amendment, that evi-
fiber distributed data interface (FDDI) FDDI is a
dence shall be excluded from evidence in a trial, such
token-passing ring methodology that uses dual rings to
as the trial of a suspected criminal.
deliver data at 100Mbps.
export of labeled information Writing information
fiber optic Fiber optic describes a cable type that
to another system, while still maintaining the protec-
uses discrete pulses of light over specially manufactured
tion mechanism associated with it. This can be done by
optical cables for the transmission of data. Fiber optic
either by assigning security levels to output devices or
cable is not susceptible to electro-magnetic interference.
by writing sensitive label with data.
File Transfer Protocol (FTP) FTP provides for the
exposure factor The frequency of event occurrence is
transfer of files using a client/server model.
used to estimate the percentage of loss on a particular
asset because of a threat. firewall A firewall is a perimeter security device that
is designed to filter unwanted traffic from reaching
Extended Binary Coded Decimal Interchange Code
protected resources. Firewalls act as points of entry to
(EBCDIC) EBCDIC is a proprietary IBM method
protected networks.
for encoding characters in an 8-bit binary number.
flooding net A collection of compromised machines
that are used by an attacker to attack some other victim.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 674
forensics The use of science and technology to inves- Gauss A unit measure representing the magnetic flux
tigate and establish facts that can be used in court. density produced by a magnet or other magnetizing
force.
formal security model A mathematically precise
statement of security policy. The model gives the initial goods Materials and supplies including inspection
state of system and notes the process by which the sys- and test equipment. Technical data is not included.
tem progresses from one state to another. It defines
Gramm-Leach-Bliley Also known as the Financial
what is meant by a definition of secure state of system.
Services Modernization Act, which requires financial
This statement should be supported by formal proof: If
institutions to give consumers notice about how per-
the initial state of system satisfies the definition of
sonal information about them will be used. It also
secure, all future states will be secure.
requires institutions to implement safeguards to protect
formal verification With formal verification, an personally identifiable information.
automated tool is used to design and test a highly
grid computing The combination of the excess
trusted system. It demonstrates the following features:
capacity of all computers on a network to perform
design consistency between a formal specification and a
additional processing.
formal security policy model, and implementation con-
sistency between formal specifications and high-level guidelines Recommendations for how policies can be
program implementation. implemented.
Fourth Amendment Part of the U.S. Constitution
that guarantees citizens protection from unreasonable
searches and seizures by the government. H
frame relay Frame relay is a WAN switching tech-
half-duplex Half-duplex is the capability to transmit
nique that uses virtual circuits and bandwidth on
or receive, but to only be able to perform one opera-
demand for the transmission of data.
tion at a time.
full backup A complete copy of all data on the disk
hardware segmentation The isolation of software
is performed.
processes and data via the separation of hardware.
full duplex Full duplex is the ability to transmit and
Healthcare Insurance Portability and Accountability
receive at the same time.
Act (HIPAA) The Act generally requires healthcare
full recovery test The process of testing all aspects of providers to maintain the confidentiality of patient
recovery. information.
hearsay An out-of-court statement that is being
offered as evidence in court. Evidence law often pro-
G hibits hearsay from being used in court.
hierarchical database Data is organized in a tree
gateway A gateway is an entry point to or from a
structure with a tree being composed of branches or
network. Gateways are often routers or firewalls.
nodes. Think of the branches as if they are data
Gateways can be used to provide access between net-
records, the leaves of the branches are the data. (One
works using different technologies and protocols.
example of a hierarchical database is IMS.)
18 078972801x AppA_GL 10/21/02 3:40 PM Page 675
hierarchical storage management (HSM) The information label A label that is associated with a
dynamic and automatic management of the storage and subject or object (such as a file). It is similar to sensitiv-
retrieval of online data files. ity labels, but different, because sensitivity labels may
have classification, categories, and dissemination mark-
high-level data link control (HDLC) HDLC is a
ings, and handling caveats (EYES ONLY). Information
data link-layer bit-oriented synchronous protocol that
labels can change as information content of subject or
is typically used for providing WAN connectivity.
object changes, while sensitivity labels remain static.
high-speed serial interface (HSSI) HSSI is a point-
initial program load (IPL) The start-up process of a
to-point protocol that defines transmission speeds of
mainframe.
up to 52MBps over short distances. HSSI is often used
to connect to ATM and T3 connections. Institute of Electrical and Electronics Engineers
(IEEE) The IEEE acts as a coordinating and govern-
host-based intrusion detection system (HIDS) A
ing body handling networking, computing, and com-
program that runs on servers and workstations to
munications standards.
detect intrusions against the host.
integrity The assurance that the data is accurate and
hot site An alternative site that is completely config-
reliable.
ured with equipment, systems software, and an appro-
priate operating environment. It is only necessary to Integrated Services Digital Network (ISDN) A
provide personnel, programs, and data. technology that was designed to transmit digital data
over existing telephone networks.
hub A hub is a layer-1 device that functions as a
multiport repeater. Hubs do not look at or verify the International Standards Organization (ISO) An
data, but rather they simply receive, boost, and retrans- international standards making body that is responsible
mit signals. for defining global standards for communications and
data exchange.
hybrid site Some combination of hot, cold, or warm
sites. Internet The connection of networks that provides
connectivity between networks and resources on a
global basis.
I Internet Control Message Protocol (ICMP) ICMP
is used on IP networks to provide error reporting, man-
incident response Procedures that discuss how to agement, and control information.
involve management in the response as well as when to
Internet facing A computer or device that has a
involve law enforcement.
direct connection to the Internet.
incremental backup Copies data files that have
Internet Package Exchange (IPX) IPX is a Novell-
changed since the last backup. Backed-up files are
proprietary network layer protocol that is used for
marked and the next backup will not include these
transmitting data across a network.
files.
Internet Protocol (IP) IP is a layer-3 protocol that
indicator Information that may be seen, heard, or
defines the logical addressing of hosts using IP address-
collected from Web sites, tapes, discs, documents, and
es. IP also provides for the routing of data by the use of
observations.
network identifiers as a part of IP addresses.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 676
network address translation (NAT) NAT is the object-oriented database Combines the object data
translation of addresses on one network to addresses on model of object-oriented programming with DBMS.
another. It is typically used to translate from internal to
object-oriented programming A programming
public addresses.
model in which an object data model is used.
network file system (NFS) NFS is a UDP-based file
Oersted A unit of measure which represents the nec-
sharing mechanism, typically used for Unix-based net-
essary magnetizing force which will produce the desired
works.
magnetic flux across a surface.
network interface card (NIC) A NIC is a piece of
open storage The condition where classified infor-
hardware that provides network access to a host system.
mation is stored in an accredited facility, but is not
network intrusion detection system (NIDS) A GSA-approved secure containers, nor are authorized
NIDS is used to detect unauthorized or malicious data personnel in the facility.
on network segments.
open system A computer system that uses normal
Network News Transfer Protocol (NNTP) NNTP user interfaces and provides total system access to the
is a network protocol for defining the posting, retrieval user.
and management of data to newsgroups.
Open Systems Interconnect (OSI) OSI is a refer-
non-essential records Records that are not critical ence model that is used to define the processes that
for business continuity. They can be easily recovered or must occur to enable network communications.
replaced.
operational controls Operational controls protect
nonrepudiation The ability to ensure the authentici- day-to-day procedures and include mechanisms such as
ty of a message by verifying it is using the message’s physical and environmental protection, privileged entry
digital signature. commands, backup, contingency planning, documenta-
tion, change control management, hardware controls,
N-type Connector N-type connectors are screw
and input and output controls.
together connectors that are typically used for inter-
connecting thicknet/10base5 cabling. OPSEC Process The process of understanding your
day-to-day operations from the viewpoint of a com-
petitor, enemy, or hacker and then developing and
applying countermeasures.
O
Orange book The common name for the first
object data model A model in which data in an United States official government security specification.
application is associated with a central entity. For The book was so named because of its orange color.
example, an object “person” includes all the associated
overwrite See overwrite procedure.
data that defines the person, including address, tele-
phone number, position, and supervisor. In the object overwrite procedure A procedure which makes
model, methods or functions the object can do are also unreadable data or destroys data on a writable storage
associated with the object. In our “person” object, media by recording patterns of unclassified data over or
methods might be “change password” or “change on top of the data stored on the media.
address.” overwriting See overwrite procedure.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 679
privacy The protection of personally identifiable proxy A proxy is a device that filters requests
information from corruption or unauthorized access. between systems. Proxies intercept data and make the
requests on behalf of the source system.
Privacy Enhanced Mail (PEM) PEM is a propri-
etary RSA encryption method for ensuring the privacy purging The orderly removal of obsolete data files
of email messages. and data by erasure, overwriting of storage or resetting
of registers.
privilege The right to do something on a computer
such as log on, add users to a group, backup files, and
so on.
privileged instruction Instructions that only the Q
operating system can run. This code may also address
qualitative risk analysis Estimated loss is used to
areas of memory or other components restricted to the
evaluate the risk.
OS. The OS must be running in supervisor or kernel
mode to use these instructions. quantitative risk analysis A mathematical approach
to risk analysis in which the probability of occurrence
procedural safeguards Processes such as safety
is multiplied times the calculated monetary loss.
inspections, fire drills, and security awareness training
that will mitigate the effects of a disaster, or perhaps
prevent it from occurring.
procedures Mechanisms put into place to ensure the R
integrity of information and to prevent attacks on the
random access Also known as direct access. Some
storage of that data (contamination) and on its trans-
index, or other capability, exists that allows a search to
mission (interference).
go directly to the record required.
process isolation The ability to run different
rapid application development A software develop-
processes on one computer and yet separate them from
ment method that uses focus groups, prototyping, and
one another. Each process has its own data and code
a shortened timeframe.
space. Consequently, if a process fails, it can only crash
itself; other running processes are not affected. real memory The Random Access Memory provided
by the system hardware.
promiscuous mode An operational mode of a net-
work interface card that changes the normal behavior recovery point objective (RPO) The goal for restor-
of the card from only listen to information addressed ing a business process.
to it, to one where the card listens for all traffic on the
recovery time objective (RTO) The amount of time
network.
available to restore a critical business process.
protection profiles Implementation-independent set
redundant array of inexpensive disks (RAID)
of security requirements for the category of Target Of
RAID provides for fault tolerance of data by using
Evaluation (TOEs) that meet a selection need.
redundant disks for the storage of either mirrored data
protocol analyzers A type of sniffer. or parity data that can be used to re-create the original
data.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 681
redundant site An alternative site that exactly mir- ring zero The inner core of the operating system.
rors the current data processing environment. When the computer is running, different code is said
to run at different levels. Ring zero is reserved for privi-
reference monitor An abstract machine that enforces
leged instructions and access by the operating system
TOE access control policies.
itself.
referential data integrity The database rule that says
risk analysis The process of determining if a threat is
no database record can refer to the primary key of a
likely to occur and if it does, what damage will occur.
non-existent table.
risk management The identification, measurement,
registers High-speed memory locations in the CPU.
control, and minimization of loss associated with
There are only a few of these locations.
uncertain events or risks.
relational database Data is stored in tables that con-
router A router is a device which can deliver data to
sist of rows (like records in a regular file) and columns
remote networks by using logical addresses and routing
(like fields). Relationships are formed between tables
protocols to determine the path to the remote network.
based on a selected primary key.
remanence Remanence may be used to indicate the
data left on storage media after the power is turned off.
It is also a measure of the magnetic flux density that S
remains on media after degaussing.
Safe Harbor on Data Protection An arrangement
remote authentication dial-in user service between the European Union and the U.S. government
(RADIUS) RADIUS is a protocol that provides for under which U.S. companies can establish that they are
the authentication of remote connections and users to complying with European privacy law by agreeing to
network resources. protect personal data collected in Europe.
remote procedure call (RPC) RPC is a client/server sanitization The elimination of classified informa-
architecture that is used for distributed programming. tion from magnetic media to permit the reuse of the
repeater A repeater is a network device that simply media at a lower classification level or to permit the
boosts and retransmits signals without reading any of release to uncleared personnel or personnel without the
the data being transmitted. Repeaters function at the proper information access authorizations.
physical layer. Sanitized media Magnetic media that can be declas-
restricted area An area secured by restrictions and sified after classified data is erased or overwritten.
controls in order to safeguard property or material. secondary storage Nonvolatile storage. A variety of
Reverse Address Resolution Protocol (RARP) actual media that can store data and code for a very
RARP is very similar to ARP; however RARP resolves long time; includes devices such as disks, tapes, and
known MAC addresses to unknown IP addresses. CD-ROMs.
revision control The maintenance and tracking of secure electronic transmission (SET) SET was
changes to hardware and software. developed to provide a framework for protecting the
use of credit cards used in Internet transactions against
ring A ring is a network topology in which devices fraud by using PKI to ensure data integrity and authen-
are interconnected to each other in a circular fashion. tication.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 682
segmentation Hardware protection features, virtual sniffers Devices or software programs that capture
memory is divided in segments, process may use many packets and decode them.
segments, unprivileged user processes cannot access or
modify memory used by system.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 683
spoofing An attack technique where some character- switched multimegabit data service (SMDS)
istic is misrepresented. An IP source spoof means the SMDS is a high-speed packet switching technology for
IP address of another system is inserted in a packet to use over public networks. It is provided for companies
replace the source address of the attacker’s system. that need to send and receive large amounts of data on
a bursty basis, providing for connectionless communi-
star property (also known as *property or confine-
cations. It is a bandwidth-on-demand technology.
ment property) Bell-LaPadula security model rule
that allows a subject write access to an object if the switched networks Networks in which switches are
security level of the subject is dominated by the securi- used to deliver packets from one computer to another.
ty level of object. The switch forms a connection between the devices on
the fly and no computer is exposed to traffic from
static random access memory Level 2 cache, usually
every computer on the network.
consists of several transistors but no capacitor.
synchronous Synchronous refers to the clocking or
storage area network (SAN) Storage area networks
timing of data transmissions.
that are centrally managed and network accessible stor-
age systems. synchronous data link control (SDLC) SDLC is a
bit-oriented, synchronous protocol that is typically
Structured Query Language (SQL) SQL is a proto-
used for interconnectivity between IBM SNA devices.
col that defines the formatting of data for use in main-
frames and database communications. system development life cycle The series of steps
that tracks the development of applications, from con-
structured walkthrough test A test in which mem-
cept through disposal.
bers of the team walk through the plan looking for and
correcting weaknesses. system downtime The time when the system is pur-
posefully shut down or made unavailable in order to
supervisor or kernel mode The opposite of User
perform maintenance.
mode. Supervisor mode is the mode within which the
OS runs. system outage The system is unavailable due to some
non-planned event.
survivability The capability of a system to continue
to process critical applications in spite of the fact that it
suffered disruptive or damaging events (such as conta-
mination with dust, an earthquake, a bomb, and so T
on).
target of evaluation (TOE) IT product, system,
swIPe swIPe is a predecessor to IPSec. swIPe provides
and associate administrator and user guidance
encryption at the network layer by encapsulating the
documentation—the subject of an evaluation.
original packet within the swIPe packet. swIPe does not
have policy or key management functionality built into technical controls Audit and journaling, integrity
the protocol. validations such as checksums, authentication and file
system permissions.
switch A switch is a data link device that can filter,
forward or flood traffic based on MAC address, thereby Telnet Telnet is an application-layer protocol that
reducing contention in a network. provides for remote terminal emulation capabilities for
TCP/IP-based hosts.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 684
Terminal Access Controller Access Control System Transport Layer Security (TLS) TLS is a Transport
Plus (TACACS+) TACACS+ is a remote authentica- layer security mechanism that provides for encryption
tion protocol. Although it has a similar function to of data and access authentication.
RADIUS, TACACS+ differentiates itself by separating
trap door Portals that circumvent system protection.
the authentication and authorization capabilities, as well
They are often legitimate debugging techniques that
as using TCP for connectivity. As a result, TACACS+ is
are accidentally or purposefully left in production code.
generally regarded as being more reliable than RADIUS.
Trivial File Transfer Protocol (TFTP) TFTP is a
threat A person, event, or thing which has the ability
subset of FTP that provides for the transfer of files
to cause harm along with the intention to do so.
without authentication. TFTP is a UDP-based trans-
Time of Check to Time of Use (TOC/TOU) If an mission method.
instruction is executed in more than one step, it may
Trojan horse A program that masquerades as some-
be possible to compromise the system by attacking
thing else in order to trick a user into running it.
between the steps.
trusted channel A means whereby a remote IT prod-
tip-off indicator An indicator that provides focus for
uct and TSF can communicate.
the attacker. They tell him where to concentrate his
efforts. Trusted Computer Security Evaluation Criteria
(TCSEC) Also referred to as the Orange book of the
TOE Security Functions (TSF) The combination of
rainbow series, TCSEC was developed by the
hardware, software, and firmware of the TOE. It
Department of Defense to provide guidelines for evalu-
enforces the TOE Security Policy.
ating vendor security.
TOE Security Policy (TSP) The set of rules which
trusted computing base (TCB) The sum of hard-
determine how TOE assets are managed, and protected.
ware, software, and firmware that enforces a security
token A form of one-time password authentication policy for a product. A TCB can enforce a security pol-
that satisfies the “what you have” scenario. icy if it contains the appropriate mechanism and is cor-
rectly configured by the administrator.
token ring Token ring refers to a network access
methodology that uses a token-passing access method trusted distribution The movement of trusted sys-
over a ring topology to transmit at speeds of tems from vendor to customer, in exact evaluated sys-
4MBps–16MBps. tem shipped by vendor.
trade secret The right to exclusive use of confidential trusted facility management Assures separation of
commercial information. duties, operator, administer, security administrator,
with duties clearly defined for each role.
Transmission Control Protocol (TCP) TCP is a
transport-layer protocol that provides for reliable data Trusted Network Interpretation (TNI) The TNI is
delivery and connection-oriented communications. referred to as the “Redbook” of the rainbow series. The
TNI, or Redbook, interprets the TCSEC.
Transmission Control Protocol/Internet Protocol
(TCP/IP) TCP/IP is a suite of protocols that defines trusted path User communicated directly with
network communications governing media access, Trusted Computing base. Can’t be initiated by untrust-
packet transport, session communications, and applica- ed software. With a trusted path, no software can
tion functions. mimic trusted software.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 685
trusted system A system developed in accordance virtual local area network (VLAN) A VLAN is the
with orange book criteria and evaluated by these crite- logical separation of systems over a physically connect-
ria. ed network. VLANs are generally synonymous with
subnets.
tunnel A tunnel is the encapsulation of one protocol
within another, often providing security and encryption virtual memory The combination of real memory
of the original data. and that provided by disk paging or swap files.
type-1 magnetic media Magnetic media with coer- virtual private network (VPN) A VPN provides for
civity factors not exceeding 325 Oersteds. secure transmission of data over an otherwise insecure
medium by encrypting the data in a tunnel.
type-2 magnetic media Magnetic media with coer-
civity factors exceeding 325 Oersteds, possibly as high virus A program loaded onto a computer without the
as 750 Oersteds (also known as high-energy media). permission of the owner and then run without permis-
sion. Viral code hides itself within legitimate code.
vital records Records that have critical importance to
U the company and whose loss or damage would have
critical impact on business continuity.
unicast A unicast is an addressing method in which
vulnerability A weakness in a computer system, soft-
data is addressed to a specific host.
ware, device, infrastructure or operation which may
unshielded twisted pair (UTP) UTP is a point-to- allow a threat to succeed.
point cable type that provides for both voice and data
grade transmissions.
User Datagram Protocol (UDP) UDP is a W
Transport layer protocol that provides for unreliable,
connectionless communications. war dialer A program or device that automatically
dials a range of phone numbers and reports on those
user mode The mode in which applications and
that are answered by a computer or fax machine.
other instructions used by ordinary operators, or indi-
viduals are run. warm site This alternative site might be partially
configured. Some peripheral equipment, such as print-
ers might be available.
V Web services Small, reusable programs that can be
accessed from otherwise unconnected sources. Web ser-
validation Tests and evaluates to determine if securi- vices may be written in XML and used to communi-
ty specs and requirements are met. cate across the Internet or an organization’s intranet.
verification Compares two levels of specification to worm Malware that spreads itself from one computer
ensure correspondence between them. to another across a network.
verify backup The process whereby a backup system
checks a tape backup to ensure it is viable.
18 078972801x AppA_GL 10/21/02 3:40 PM Page 686
X–Z
X Window A remote graphical user interface emula-
tion protocol that is typically used for Unix connectivi-
ty. Similar in concept to Telnet, X Window provides
for the remote display of the GUI environment.
X.25 X.25 is a highly reliable WAN connection tech-
nique that functions at the physical and data link layers
of the OSI model. X.25 uses virtual circuits for estab-
lishing the communications channel between hosts.
X.400 X.400 is a messaging formatting standard that
defines how addressing is performed.
xDSL An acronym for multiple types of Digital
Subscriber Line. xDSL is a high bandwidth broadband
connection method that is typically used for Small
Office and Home Office connectivity.
19 078972801x AppB 10/21/02 3:40 PM Page 687
A P P E N D I X B
Overview of the
Certification
Process
This appendix explains the CISSP certification process á Answer questions regarding criminal history and
and looks at what is involved in taking the CISSP background
Exam. At the time of writing, this information is accu-
rate; however, (ISC)2 reserves the right to change exam To obtain the certification you must do the following:
and certification track information at any time, thus,
á Pass the exam with a score of 700 or more
it’s worth checking their Web site at http://
www.ISC2.org to see whether there have been any á Complete an endorsement form that provides
changes to the program. validation by a CISSP or an officer of your cor-
poration, which attests to your experience
A P P E N D I X C
What’s on the
CD-ROM
This appendix is a brief rundown of what you’ll find For example, the practice tests allow you to check your
on the CD-ROM that comes with this book. For a score by exam area or domain to determine which top-
more detailed description of the PrepLogic Practice Tests, ics you need to study more. Another feature allows you
Preview Edition exam simulation software, see to obtain immediate feedback on your responses in the
Appendix D, “Using the PrepLogic Practice Tests, form of explanations for the correct and incorrect
Preview Edition Software.” In addition to the PrepLogic answers.
Practice Tests, Preview Edition, the CD-ROM includes
PrepLogic Practice Tests, Preview Edition exhibits most of
the electronic version of the book in Portable
the full functionality of the Premium Edition but offers
Document Format (PDF), several utility and applica-
only a fraction of the total questions. To get the com-
tion programs, and a complete listing of test objectives
plete set of practice questions and exam functionality,
and where they are covered in the book.
visit PrepLogic.com and order the Premium Edition for
this and other challenging exam titles.
Again for a more detailed description of the PrepLogic
PREPLOGIC PRACTICE TESTS, Practice Tests, Preview Edition features, see Appendix D.
PREVIEW EDITION
PrepLogic is a leading provider of certification training
tools. Trusted by certification students worldwide, we
EXCLUSIVE ELECTRONIC
believe PrepLogic is the best practice exam software VERSION OF TEXT
available. In addition to providing a means of evaluat-
ing your knowledge of the Training Guide material, The CD-ROM also contains the electronic version of
PrepLogic Practice Tests, Preview Edition features several this book in PDF. This electronic version comes com-
innovations that help you to improve your mastery of plete with all figures as they appear in the book. You
the subject matter. will find that the search capabilities of the reader comes
in handy for study and review purposes.
20 078972801x AppC 10/21/02 3:42 PM Page 690
21 078972801x AppD 10/21/02 3:40 PM Page 691
A P P E N D I X D
Using the PrepLogic
Practice Tests,
Preview Edition
Software
Question Quality
This Training Guide includes a special version of The questions provided in the PrepLogic Practice Tests,
PrepLogic Practice Tests—a revolutionary test engine Preview Edition are written to highest standards of
designed to give you the best in certification exam technical accuracy. The questions tap the content of the
preparation. PrepLogic offers sample and practice Training Guide chapters and help you review and assess
exams for many of today’s most in-demand and chal- your knowledge before you take the actual exam.
lenging technical certifications. This special Preview
Edition is included with this book as a tool to use in
assessing your knowledge of the Training Guide materi- Interface Design
al while also providing you with the experience of tak-
The PrepLogic Practice Tests, Preview Edition exam sim-
ing an electronic exam.
ulation interface provides you with the experience of
This appendix describes in detail what PrepLogic taking an electronic exam. This enables you to effec-
Practice Tests, Preview Edition is, how it works, and tively prepare you for taking the actual exam by mak-
what it can do to help you prepare for the exam. Note ing the test experience a familiar one. Using this test
that although the Preview Edition includes all the test simulation can help eliminate the sense of surprise or
simulation functions of the complete, retail version, it anxiety you might experience in the testing center
contains only a single practice test. The Premium because you will already be acquainted with computer-
Edition, available at PrepLogic.com, contains the com- ized testing.
plete set of challenging practice exams designed to opti-
mize your learning experience.
Effective Learning Environment
The PrepLogic Practice Tests, Preview Edition interface
EXAM SIMULATION provides a learning environment that not only tests you
through the computer, but also teaches the material
One of the main functions of PrepLogic Practice Tests, you need to know to pass the certification exam.
Preview Edition is exam simulation. To prepare you to
take the actual vendor certification exam, PrepLogic is
designed to offer the most effective exam simulation
available.
21 078972801x AppD 10/21/02 3:40 PM Page 692
692 Appendix D USING THE PREPLOGIC PRACTICE TESTS, PREVIEW EDITION SOFTWARE
Each question comes with a detailed explanation of the á The Installation Wizard copies the PrepLogic
correct answer and often provides reasons the other Practice Tests, Preview Edition files to your hard
options are incorrect. This information helps to rein- drive; adds PrepLogic Practice Tests, Preview
force the knowledge you already have and also provides Edition to your Desktop and Program menu; and
practical information you can use on the job. installs test engine components to the appropriate
system folders.
SOFTWARE REQUIREMENTS
PrepLogic Practice Tests requires a computer with the
Removing PrepLogic Practice
following: Tests, Preview Edition from
á Microsoft Windows 98, Windows Me, Windows Your Computer
NT 4.0, Windows 2000, or Windows XP. If you elect to remove the PrepLogic Practice Tests,
á A 166MHz or faster processor is recommended. Preview Edition product from your computer, an unin-
stall process has been included to ensure that it is
á A minimum of 32MB of RAM. removed from your system safely and completely.
á As with any Windows application, the more Follow these instructions to remove PrepLogic Practice
memory, the better your performance. Tests, Preview Edition from your computer:
á 10MB of hard drive space. á Select Start, Settings, Control Panel.
á Double-click the Add/Remove Programs icon.
á You are presented with a list of software installed
Installing PrepLogic Practice on your computer. Select the appropriate
Tests, Preview Edition PrepLogic Practice Tests, Preview Edition title you
want to remove. Click the Add/Remove button.
Install PrepLogic Practice Tests, Preview Edition by run- The software is then removed from your
ning the setup program on the PrepLogic Practice Tests, computer.
Preview Edition CD. Follow these instructions to install
the software on your computer:
á Insert the CD into your CD-ROM drive. The
Autorun feature of Windows should launch the USING PREPLOGIC PRACTICE
software. If you have Autorun disabled, click
Start and select Run. Go to the root directory of
TESTS, PREVIEW EDITION
the CD and select setup.exe. Click Open, and PrepLogic is designed to be user friendly and intuitive.
then click OK. Because the software has a smooth learning curve, your
time is maximized because you start practicing almost
immediately. PrepLogic Practice Tests, Preview Edition
has two major modes of study: Practice Test and Flash
Review.
21 078972801x AppD 10/21/02 3:40 PM Page 693
Appendix D USING THE PREPLOGIC PRACTICE TESTS, PREVIEW EDITION SOFTWARE 693
Using Practice Test mode, you can develop your test- To your left, you are presented with the option of
taking abilities as well as your knowledge through the selecting the preconfigured Practice Test or creating
use of the Show Answer option. While you are taking your own Custom Test. The preconfigured test has a
the test, you can expose the answers along with a fixed time limit and number of questions. Custom
detailed explanation of why the given answers are right Tests allow you to configure the time limit and the
or wrong. This gives you the ability to better under- number of questions in your exam.
stand the material presented.
The Preview Edition included with this book
Flash Review is designed to reinforce exam topics rather includes a single preconfigured Practice Test. Get the
than quiz you. In this mode, you will be shown a series compete set of challenging PrepLogic Practice Tests at
of questions but no answer choices. Instead, you will be PrepLogic.com and make certain you’re ready for the
given a button that reveals the correct answer to the big exam.
question and a full explanation for that answer.
Click the Begin Exam button to begin your exam.
694 Appendix D USING THE PREPLOGIC PRACTICE TESTS, PREVIEW EDITION SOFTWARE
á Item Review—This button leaves the question Your Examination Score Report
window and opens the Item Review screen. From
this screen you will see all questions, your The Examination Score Report screen appears when
answers, and your marked items. You will also see the Practice Test mode ends—as the result of time expi-
correct answers listed here when appropriate. ration, completion of all questions, or your decision to
terminate early.
á Show Answer—This option displays the correct
answer with an explanation of why it is correct. If This screen provides you with a graphical display of
you select this option, the current question is not your test score with a breakdown of scores by topic
scored. domain. The graphical display at the top of the screen
compares your overall score with the PrepLogic Exam
á Mark Item—Check this box to tag a question Competency Score.
you need to review further. You can view and
navigate your Marked Items by clicking the Item The PrepLogic Exam Competency Score reflects the
Review button (if enabled). When grading your level of subject competency required to pass this ven-
exam, you will be notified if you have marked dor’s exam. While this score does not directly translate
items remaining. to a passing score, consistently matching or exceeding
this score does suggest you possess the knowledge to
á Previous Item—View the previous question. pass the actual vendor exam.
á Next Item—View the next question.
á Grade Exam—When you have completed your
exam, click to end your exam and view your
Review Your Exam
detailed score report. If you have unanswered or From Your Score Report screen, you can review the
marked items remaining, you will be asked if you exam that you just completed by clicking on the View
would like to continue taking your exam or view Items button. Navigate through the items viewing the
your exam report. questions, your answers, the correct answers, and the
explanations for those questions. You can return to
your score report by clicking the View Items button.
Time Remaining
If the test is timed, the time remaining is displayed on Get More Exams
the upper-right corner of the application screen. It
Each PrepLogic Practice Tests, Preview Edition that
counts down minutes and seconds remaining to com-
accompanies your training guide contains a single
plete the test. If you run out of time, you will be asked
PrepLogic Practice Test. Certification students world-
if you want to continue taking the test or if you want
wide trust PrepLogic Practice Tests to help them pass
to end your exam.
their IT certification exams the first time. Purchase the
Premium Edition of PrepLogic Practice Tests and get
the entire set of all new challenging Practice Tests for
this exam. PrepLogic Practice Tests—Because You Want
to Pass the First Time.
21 078972801x AppD 10/21/02 3:40 PM Page 695
Appendix D USING THE PREPLOGIC PRACTICE TESTS, PREVIEW EDITION SOFTWARE 695
CONTACTING PREPLOGIC
If you would like to contact PrepLogic for any reason
including information about our extensive line of certi-
fication practice tests, we invite you to do so. Please
contact us online at www.preplogic.com.
Customer Service
If you have a damaged product and need a replacement
or refund, please call the following phone number:
800-858-7674
LICENSE AGREEMENT
YOU MUST AGREE TO THE TERMS AND CON-
DITIONS OUTLINED IN THE END USER
LICENSE AGREEMENT (“EULA”) PRESENTED
TO YOU DURING THE INSTALLATION
PROCESS. IF YOU DO NOT AGREE TO THESE
TERMS, DO NOT INSTALL THE SOFTWARE.
21 078972801x AppD 10/21/02 3:40 PM Page 696
22 078972801x Index 10/21/02 3:37 PM Page 697
Index
centralized access control, 38, 577
SYMBOLS decentralized access control, 38-40, 577
defining data access, 209
* (star) property discretionary access control, 20, 576
Bell-LaPadula security model, 31-32, 345 exam objective overview, 13-14, 17
Biba security model, 32 identification. See identification
3DES. See Triple-DES IPSec standard, 371
5-4-3 rule, 579 lattice-based access control, 22-25, 576
8mm tape, 157 Liptner’s lattice, 33, 577
10BASE-2 networks, 79, 579 mandatory access control, 21-22, 576
10BASE-5 networks, 79, 579 noninference models, 33, 577
200Mbps Fast Ethernet, 97 penetration testing. See penetration testing
physical access controls, 540-544, 618
procedures, 211
A reference monitor, 348-349
remote access. See remote access
A division (Orange Book), 134 role-based access control, 26-27, 576
A1 class (Orange Book), 134, 358 rule-based access control, 25, 576
abstraction, 217, 351, 587, 598 storage area networks (SANs), 260
acceptable usage policy (AUP), 214, 224 versus accountability, 18-19
access control. See also ACLs (access control lists) versus authentication, 17-18
administration, 27-29, 576 access logs, 541-542
attacks access servers, 119, 583
brute-force attacks, 41, 577 accidents, 447
denial-of-service attacks, 42, 577 accountability, 18-19, 188, 576, 586
dictionary attacks, 41 logging, 19
sniffing attacks, 43, 578 accounts receivable, insurance coverage, 461
spoofing attacks, 42-43, 578 accreditation, 284
authentication. See authentication ACKs (acknowledgements), 127
Bell-LaPadula model, 30-33, 576 ACLs (access control lists), 27, 347, 576, 597
Biba model, 32-33, 577 versus labels, 353
case study, 52-53 ACM (Configuration Management) class, 367
22 078972801x Index 10/21/02 3:37 PM Page 698
698 INDEX
INDEX 699
denial-of-service (DoS) attacks, 42, 267-269, 577 auditing, 188-190, 395-398, 586, 605
detective controls, 390 keystroke monitoring, 189-190
deterrent controls, 390 procedures, 211
dictionary attacks, 41, 266-267 protecting audit data, 190
elevated privileges attacks, 407 AUI (Attachment Unit Interface) connections, 81
integrity attacks, 182 AUP (acceptable usage policy), 224
jump-point attacks, 412 authentic evidence, 511
keyboard attacks, 426 authentication, 184-187, 311-312, 389, 577, 585-586
known versus unknown attacks, 45 biometrics, 36
known-plaintext attacks (KPAs), 321-322 case study, 52-53
LAND attacks, 151 MACs (message authentication codes), 316
man-in-the-middle attacks, 323-324, 596 passwords, 35-36, 185-187
meet-in-the-middle attacks, 324, 596 RADIUS (Remote Authentication Dial-In User
NAK (negative acknowledgement) attacks, 272 Service), 38
network abuses remote access authentication, 124
class A network abuses, 147-148 SSO (single sign-on) scheme, 37
class B network abuses, 148-149 SANs (storage area networks), 260
class C network abuses, 149-150 strong authentication, 185
class D network abuses, 150-151 TACACS (Terminal Access Controller Access Control
class E network abuses, 152-154 System), 38
class F network abuses, 154-155 ticket schemes, 36-37
nuke attacks, 412 versus access control, 17-18
passive attacks, 45 Authentication Header (AH), 373
preventative controls, 390 automatic sprinkler systems, 553
probing attacks, 154-155 AVA (Vulnerability Assessment) class, 368
pseudoflaw attacks, 272 availability, 131, 183, 585
random attacks, 412 awareness training, 227-228
replay attacks, 323, 596 AXENT, 403
as risk factor, 193
SMURF attacks, 151, 268
spoofing attacks, 42-43, 152, 269-270, 578 B
strategic attacks, 412
teardrop attacks, 151 B division (Orange Book), 133-134, 358
Trojan horses, 152-153, 243, 247 B1 class (Orange Book), 133, 358
Audit (FAU) class, 366 B2 class (Orange Book), 134, 358
audit controls, 389, 604 B3 class (Orange Book), 134, 358
audit logs, 542 back doors, 153
audit trails, 512 Back Orifice, 273
700 INDEX
INDEX 701
702 INDEX
INDEX 703
computer forensics, 513-517 controlled access protection (Orange Book, class C2),
case study, 519-520 358
Computer Fraud and Abuse Act, 503-504, 615 controlled security mode, 353, 599
Computer Incident Response Team (CIRT), 141-142 controls, 604
Computer Security Handbook, 455 identifying available controls, 389-391
computer-aided software engineering (CASE), 291-292 system development controls, 277-285
confidential data, 219-220, 588 best practices, 285
confidentiality, 181-182, 310-311, 585 RAD (Rapid Application Development), 282-283,
access control lists, 347 593
Bell-LaPadula security model, 30-32, 343-345 security control architecture, 283-285, 593
IPSec standard, 371 spiral lifecycle model, 280-282, 592-593
networks and, 130-131 waterfall lifecycle model, 278-280, 592
Orange Book standard. See Orange Book standard copyrights, 498-499, 613
SANs (storage area networks), 260 case study, 520-521
configuration management, 226-227 core (fiber-optic cable), 84
Configuration Management (ACM) class, 367 core dumps, 558
configuration procedures, 211 corrective controls, 390, 604
conflicts of interest, 519 cost-benefit analysis (CBA), 194-195, 203-204, 587
connections, network counteranalysis, 395
cell-switched, 114, 582 countermeasures, 393, 408
circuit-switched, 113, 582 cost/benefit analysis, 203-204, 587
dedicated, 111-112 disgruntled employees, 415-416
Frame Relay, 116, 159, 583 employee-related threats, 412-414
HSSI (High Speed Serial Interface), 118 hiring and firing/exit practices, 414-415
ISDN (Integrated Services Data Network), 116-117, information system threats, 409-410
583 Internet-based threats, 416-417
packet-switched, 113, 582 mainframe threats, 410-411
SDLC (Synchronous Data-Link Control), 116, 583 physical threats, 417-418
X.25, 115, 583 threat risk analysis, 408-409
xDSL (Digital Subscriber Line), 117-118, 583 covert storage channels, 354, 599
Constitution (U.S.), Fourth Amendment, 513, 616 covert timing channels, 354
consumer fraud-related computer attacks, 505 Crack program, 323
contamination, 182 crackers, 275
Content-Based Access Control (CBAC), 138 credit card memory, 258
contention, 90 criminal law, 497, 503-505, 613-615
contention-based media access, 95 cryptanalysts, 320
Cryptographic Support (FCS) class, 366
704 INDEX
cryptography, 181-182, 187, 594-595. See also Data Encryption Standard (DES), 218, 314
encryption data hiding, 217, 587
asymmetric encryption, 315-316, 595 data integrity. See integrity
authentication and, 311-312, 594 data marts, 255
confidentiality and, 310-311, 594 data mining, 255
digital signatures, 317, 595 data models, 251-252
hash functions, 316-317, 595 data remanance, 427
integrity and, 311, 594 data safes, 469
nonrepudiation and, 312 data storage, 256-259
objective overview, 307 document libraries, 555-556
one-time ciphers, 318 electronic media, 553-555
symmetric encryption, 313-314, 595 offsite, 559
CSMA/CD (Carrier Sense, Multiple Access/Collision RAID (redundant array of inexpensive disks), 155-156,
Detection), 95-96 474, 584-585
CSU/DSU (Channel Service Unit/Data Service Unit), SANs (storage area networks), 259-260
119, 583 data striping with parity, 474
CTCPEC (Canadian Trusted Computer Product Data Terminal Equipment (DTE), 76
Evaluation Criteria), 356 data vaulting, 468, 473-474, 612
Cybersafe, 403 data warehouses, 255
CycSecure, 261 database management system (DBMS), 249-255,
589-590
databases, 249-255, 590-591
D data models, 251-252
distributed databases, 252
D division (Orange Book), 133, 358 hierarchical, 252
DAC. See discretionary access control network databases, 252
daisy-chaining, 89 object-oriented databases, 252
damage (risk category), 193 packed, 557
DAT (digital audio tape), 157 relational databases, 251
data access, defining, 209 versus data marts, 255
Data Circuit-Terminating Equipment, 76 versus data warehouses, 255
data classification, 218-222, 587-588 Data Link layer, OSI model, 75-77, 579
commercial classification, 219 DBMS (database management systems), 249-255,
criteria for, 221 589-590
government classification, 220, 588 DCE (Data Circuit-Terminating Equipment), 76
procedures, 221-222 DDoS (distributed denial-of-service) attacks, 151, 269,
data clustering, 156, 585 468
data disposal, 556-559
22 078972801x Index 10/21/02 3:37 PM Page 705
INDEX 705
decentralized access control, 38-40, 577 disaster recovery planning (DRP), 466-467, 611-612.
domains, 39-40 See also business continuity planning
trust relationships, 40 antidisaster procedures, creating, 468-469
decryption, 313, 595 backups, 472-481
dedicated connections, WANs, 111-112 alternative sites, 478-481
dedicated security mode, 352, 598 alternatives to tape, 481
degaussers, 557-558 hardware backups, 478
degaussing, 425-427, 557-558 procedures and policies, 474-477
delayed loss, 196 tape storage, 477
deleting user accounts, 28 vital records, 477
Delivery and Operation (ADO) class, 367 contact numbers, recording, 472
demonstrative evidence, 510 emergency control centers, 459
denial-of-service (DoS) attacks, 42, 267-269, 577 emergency response procedures, 470-471
dense wave division multiplexing (DWDM), 87 listing potential disasters, 445-448
DES (Data Encryption Standard), 218, 314 necessary resources, listing, 469-470
destruction vulnerabilities, 535-536 normal operations, restoring, 472
detective controls, 390, 604 objective overview, 439-440
deterrent controls, 390, 604 risk analysis, 447-448
Development (ADV) class, 368 scope of plan, determining, 468
dial-up access, 119-120 step-by-step instructions, creating, 471
dictionary attacks, 41, 266-267 versus business continuity planning, 448-450
differential backups, 157, 475-476, 585 disclosure (risk category), 193
digital audio tape (DAT), 157 vulnerabilities, 535-536
digital certificates, 319 discretionary access control, 20, 576
Digital Immune System for Cyberspace (IBM), 248 discretionary security property (Bell-LaPadula security
digital linear tape (DLT), 157 model), 345
Digital Millennium Copyright Act (DMCA), 499 discretionary security protection (Orange Book, class
digital signatures, 317, 595 C1), 358
hash functions, 316-317 disks, 553-555
nonrepudiation, 188, 312 degaussing, 558
digital V-Ohm meters, 82 disposing of data. See data disposal
direct access, 257 distilled water, 553
direct evidence, 616 distributed databases, 252, 590
directed broadcasts, 94 distributed denial-of-service (DDoS) attacks, 151, 269,
Directive on Data Protection (European Union), 501 468
dirty power supplies, 544 distributed systems, 589
disabling user accounts, 28 examples of, 244-245
malware for, 246-248
massively distributed systems, 245
706 INDEX
INDEX 707
708 INDEX
INDEX 709
Health Insurance Portability and Accountability Act of Identification and Authentication (FIA) class, 366
1996 (HIPAA), 18, 183, 500 IDSs (intrusion detection systems), 44, 401-403
hearsay rule, 511, 616 anomaly detection, 47
heat detectors, 560 behavior-based intrusion detection system), 141
HIDSs (host-based intrusion detection systems), 45, HIDSs (host-based intrusion detection systems), 45,
140, 401-403 140, 401-403
hierarchical databases, 252, 590 knowledge-based intrusion detection system), 140-141
Hierarchical Storage Management (HSM), 158, 480 NIDSs (network-based intrusion detection systems),
HIPPA (Health Insurance Portability and 45, 139-141
Accountability Act of 1996), 18, 183, 500 pattern matching, 46-47, 578
host-based intrusion detection systems (HIDSs), 45, thresholds, setting, 189
140, 401-403 IEEE 802 standards, 95
hosts, 75 IEEE 802.2 protocol, 76
hot sites, 478, 612 IEEE 802.3 protocol, 76
HSM (Hierarchical Storage Management), 158, 480 IKE (Internet Key Exchange), 372
HSSI (High Speed Serial Interface) connections, 118, illogical processing, 195
583 imperfect evidence, 512
hubs, 77, 99-100, 581 inbound NAT, 143
humidity, 548 incident-response procedures, 211
Hutt, Arthur, 455 incremental backups, 157, 475-476, 585
hybrid sites, 479, 613 indicators, 392-394
tip-off indicators, 394
information security management. See security
I management
information security policies, 205-209, 587
ICMP (Internet Control Message Protocol), 129 baselines, creating, 210
(ICS)2 data access, defining, 209
Code of Ethics, 518-519 defining, 207
physical security categories, 532 development of, 206
Web site, 687-688 guidelines, creating, 210
identification, 184-185, 577, 585-586 inventory of assets, identifying, 207-209
biometrics, 36 procedures, implementing, 210-212
case study, 52-53 standards, setting, 209-210
one-time passwords, 36 information system security standards. See security
passwords, 35-36 standards
single sign-on (SSO) scheme, 37 Information Technology Security Evaluation Critera. See
ticket schemes, 36-37 ITSEC
710 INDEX
INDEX 711
712 INDEX
INDEX 713
714 INDEX
INDEX 715
716 INDEX
P permissions
access control and, 29
permission sets, 388
packed databases, 557
PGP (Pretty Good Privacy), 218
packet analysis, 399-401
phone tag (war dialer), 406
packet-filtering firewalls, 104, 107, 581
photoelectric smoke detectors, 550-551
packet-sniffing software, 137-139
phreaking, 275
packet-switched connections, WANs, 113, 582
physical and components asset class, 534-535
paper documents, storage of, 555-556
physical and environmental procedures, 211
parity checks, 316
physical intrusion-detection mechanisms, 559-561
partial backups, 474
Physical layer, OSI model, 76-77, 579
passive
physical security, 532-533
attacks, 45
asset classes, 533-535, 617-618
monitoring, 189
case study, 562-563
physical access controls, 542-544
detection mechanisms, 559-561
technologies, 90
exam objective overview, 529-532
passwords, 35-36, 185-187
paper storage, 555-556
access control administration, 28-29
removable electronic media, 553-555
checkers, 186
secure sites, 538
brute-force attacks, 148, 266-267
environmental controls, 547-548, 619
dictionary attacks, 266-267
fire prevention and detection, 549-553, 619
generators, 186
location and construction of sites, 539-540,
one-time passwords, 35-36
561-562
patents, 498, 613
location and contruction of sites, 618
pattern-based application recognition, 138
physical access controls, 540-544, 618
pattern-matching IDSs (intrusion detection systems),
power-supply issues, 544-547, 618-619
46-47, 578
water exposure problems, 548-549, 619
PBX fraud, 148-149
theft, 537, 618
PBX Scanner, 406
vulnerabilities, 535-537
PCMCIA cards, 258
physical threats, 417-418
PDAs (personal digital assistants), backups, 476
piggy-backing, 154
PEM (Privacy Enhanced Mail) protocol, 137
PIN codes, 185
penetration testing, 48, 403-407, 578, 605
PKI (public key infrastructure), 187, 318-319, 596
ethical issues, 49-50
plaintext, 313, 595
performing, 50-51
chosen-plaintext attacks, 322, 596
tools for, 51-52
known-plaintext attacks, 321-322, 596
versus security assessments, 49
planning for information security, 191-192
22 078972801x Index 10/21/02 3:37 PM Page 717
INDEX 717
718 INDEX
Q RealAudio files, 73
RealSecure for Nokia, 402
reasonable doubt, 497
QADAD (quick-and-dirty application development),
recovery time objective (RTO), 453-454
283
Red Book (Rainbow Series), 359
QIC (Quarter Inch Cartridge) backup systems, 157
redundant array of inexpensive disks. See RAID
qualitative risk analysis, 196-197, 202, 409, 586
redundant sites, 479, 613
quantitative risk analysis, 196-197, 408
reference monitor, 348-349
QuickTime, 73
referential integrity, 250
reflexive property (lattice-based access control), 23-25
registers, 257
R relational databases, 251, 590
remote access, 119-124, 583-584
RAD (Rapid Application Development), 282-283, 593 authentication, 124, 577
radiation technologies, 561 tunneling, 120-121
RADIUS (Remote Authentication Dial-In User Service), VPNs (virtual private networks), 121-124
37-38, 124, 577, 584 Remote Authentication Dial-In User Service. See
RAID (redundant array of inexpensive disks), 155-156, RADIUS
474, 584-585 remote-control lock systems, 542
RAID 0, 155 remote hosts, 75
RAID 1, 155, 585 Remote Procedure Calls (RPCs), 74
RAID 2, 155, 585 removable electronic media, 553-555
RAID 3, 155, 585 removal vulnerabilities, 535-536
RAID 4, 155, 585 repeaters, 77, 99-100, 581
RAID 5, 156, 585 replacement cost, 461
Rainbow Series, 133, 359-360. See also Orange Book replay attacks, 323, 596
standard residual risk, 204
RAM (random access memory), 256-259 Resource Utilization (FRU) class, 367
removing data from, 425 resources
RAMBUS DRAM, 257 identifying resources to be protected, 387-388
random attacks, 412 isolation, 352
Rapid Application Development (RAD), 282-283 listing necessary resources, 469-470
RARP (Reverse Address Resolution Protocol), 130 Reverse Address Resolution Protocol (RARP), 130
real evidence, 510 revision control, 226-227
real memory, 256 RFC 1087, “Ethics and the Internet,” 517-518
Real Secure Desktop Protection, 402 RI/RO (Ring in/Ring out) ports, 98
Real Secure Server Sensor, 402 Rijndael alghorithm, 314
real-time clock (RTC), 258 ring 0, 388
22 078972801x Index 10/21/02 3:37 PM Page 719
INDEX 719
ring topology, 92, 580-581 ROM (read-only memory), removing data from, 425
risk analysis, 194-195, 408-409, 586 routers, 75, 103-104, 118, 581-583
asset valuation, 196-197 routing, 75
cost-benefit analysis, 194-195, 203-204 RPCs (remote procedure calls), 74
government vs. nongovernment organizations, 194 RTC (real-time clock), 258
outside consultants, 197 RTO (recovery time objective), 453-454
qualitative risk analysis, 202, 586 rule-based access control, 25, 576. See also ACLs (access
quantitative vs. qualitative approaches, 196-197 control lists)
responses to, 587
steps of, 197-200
threats and vulnerabilities, identifying, 195-196 S
variables, 200
risk management, 192-205, 586 S/Key one-time password program, 36
countermeasures, cost/benefit analysis, 203-204 S/MIME (Secure/Multipurpose Internet Mail
risk analysis, 194-195 Extensions) protocol, 137
asset valuation, 196-197 sabotage, 446
cost-benefit analysis, 194-195, 203-204 sadadmin worm, 247
government vs. nongovernment organizations, 194 safe harbor, 501, 614
outside consultants, 197 Samspade, 407
qualitative risk analysis, 202 Sandtap, 406
quantitative vs. qualitative approaches, 196-197 SANs (storage area networks), 259-260, 591
steps of, 197-200 SANS Institute, 507
threats and vulnerabilities, identifying, 195-196 SBU (sensitive but unclassified) data, 220, 588
variables, 200 SC (Stick and Click) connectors, 86
risk categories, 193 scope, determining
risk factors, 193 of business continuity plans, 451-452
role-based access control, 26-27, 576 of disaster recovery plans, 468
roles screened subnets, 132
IT roles and responsibilities, 214 screened-host firewalls, 107-108
operations security roles, 387-395 screened-subnet firewalls, 108
identifying available controls, 389-391 SDLC (Synchronous Data-Link Control) protocol, 116,
identifying privileges to be restricted, 388 583
identifying resources to be protected, 387-388 SDRAM (synchronous DRAM), 257
security roles and responsibilities, 212 SDSL (Single-line Digital Subscriber Line) connections,
integration of, 214-215 117
IT staff, 214 secondary storage, 256
management responsibilities, 213 secret data, 220, 588
user responsibilities, 213-214 secret-key encryption, 313-314
720 INDEX
INDEX 721
722 INDEX
INDEX 723
724 INDEX
INDEX 725
726 INDEX
V W
valuable papers, insurance coverage, 461 WAN switches, 118, 583
Vampire taps, 81 WANs (wide area networks), 110-111. See also network
variance detection controls, 389, 604 computing; network security
VDSL (Very High Digital Subscriber Line) connections, cell-switched connections, 114
118 circuit-switched connections, 113
verified design (Orange Book, class A1), 358 dedicated connections, 111-112
vibration sensors, 560 Frame Relay connections, 116, 583
video RAM (VRAM), 259 HDLC (High-Level Data-Link Control), 115, 583
virtual circuits, 74 ISDN (Integrated Services Digital Network), 583
virtual LANs (VLANs), 101-103, 581 packet-switched connections, 113
virtual memory, 256, 283 PPP (Point-to-Point Protocol), 114-115
virtual nodes, 122 SDLC (Synchronous Data-Link Control), 116, 583
virtual private networks. See VPNs SMDS (Switched Multimegabit Data Services), 583
viruses, 243 X.25 connections, 115
email and, 146-147 war, 446
network security and, 153 war dialers, 406
vital records, backing up, 477 warm sites, 478, 613
VLANs (virtual LANs), 101-103 waste disposal, 556-559, 620
volatile memory. See RAM water exposure problems, 548-549, 619
VPNs (virtual private networks), 121-124, 584 waterfall system development lifecycle model, 278-280,
encryption, 218 592
security management and, 192 WAV (Windows Audio Volume) files, 73
VRAM (video RAM), 259 Web services, 263-265, 591
vulnerabilities, 392, 535-537. See also threats wet standpipe systems, 553
destruction vulnerabilities, 535-536 wide area networks. See WANs
disclosure vulnerabilities, 535-536 windowing, 128
exam objective overview, 529-532 windows, 544
identifying, 195-196 wireless networks, 87-88, 580
interruptiong vulnerabilities, 535-536 Wiretap Act, 504, 615
removal vulnerabilities, 535-536 WMF (Windows Media File) format, 73
software-based vulnerabilities, 270-272 work for hire, 499, 613
Vulnerability Assessment (AVA) class, 368 worms, 246
vulnerability scanners, 51 network security and, 153
Writing Secure Code (Howard and LeBlanc), 238, 293
WWW (World Wide Web) applications, 72
22 078972801x Index 10/21/02 3:37 PM Page 727
INDEX 727
X-Z
X Window protocol, 127
X-rays, 561
X.25 WAN connections, 115, 583
xDSL (Digital Subscriber Line) connections, 117-118,
583
XML (Extensible Markup Language), 264
www.quepublishing.com
QInformITBM8x9.25BW.qxd 10/3/02 12:28 PM Page 1
Your Guide to
Information Technology
www.informit.com Training and Reference
Articles
Online Books
Catalog
w w w. q u e p u b l i s h i n g . c o m
QUESafari8X9.25.qxd 10/3/02 12:39 PM Page 1
What if Que
joined forces to deliver the
best technology books in a
common digital reference platform?
We have. Introducing
InformIT Online Books
powered by Safari.
informit.com/onlinebooks
■ Specific answers to specific questions.
InformIT Online Books’ powerful search engine gives you
relevance-ranked results in a matter of seconds.
■ Immediate results.
With InformIt Online Books, you can select the book you
want and view the chapter or section you need immediately.
CramSession.com is #1
for IT Certification on the Net.
There’s no better way to prepare for success in
CramSession has IT all!
the IT industry. Find the best IT certification • The #1 study guides on the Net. With over 250
study guides for IT certification exams, we are the
study materials and technical information at Web site every techie visits before passing an IT
certification exam.
CramSession. Find a community of hundreds of
• Practice questions. Get the answers and
thousands of IT pros just like you who help each explanations with our CramChallenge practice
questions delivered to you daily.
other pass exams, solve real-world problems, • The most popular IT forums. CramSession has
over 400 discussion boards loaded with certifica-
and discover friends and peers across the globe. tion infomation where our subscribers study hard,
work hard, and play harder.
www.cramsession.com